Yes, he can. But his checkpoints will cause conflict, all clients will switch into safe mode and "Invalid checkpoint found!" or "Invalid chain found!" warning message will be displayed. Stolen key becomes useless immediately after this and checkpoints chain reset would be required to resolve this situation. That's why he must DDoS existing node before, to prevent it from sending checkpoints.
Something does add up here...
Why would the attackers' checkpoint cause conflict? How would the network know that they were created by the attacker, if he used the same private key and/or same physical machine as the "real" masternode?
If the network had a way of knowing this, then this masternode would not be necessary at all. The masternode serves as a "trusted party" - the network trusts the masternode, so if the attacker gained control of the masternode, then how would the network know that the control of the masternode was overtaken?
Where could I read technical information about how exactly this "advanced checkpointing" works?