Unfortunately there is a lot of outright fraud in the crypto space currently. Their hack could have been nothing more than an exit scam, meaning they stole the money and are blaming it on being hacked by someone else. Since it is difficulty to trace cryptocurrencies as they could send it to a newly created wallet, then use a mixer and various exchanges to further hide, it can be hard to ultimately trace were the funds end up and who owns them.
Ok this is one way of scamming people.
...if they are using a hosted service, the admins of the hosting company could also hack in to their server using administrative privileges and run off with the coins.
So basically they are not hacking the blockchain or the token it self, but their website and the address they generate for users to send the tokens. Is this statement correct?