No, that would make sense if the user actually went to the website manually from the browser and downloaded a fake wallet. That would be as dumb as downloading it from a porn website. But the response from the server was manipulated from the official electrum wallet they were using. My only concern is, the chances of such hacks happening again in the future are high and newbies will be the primary victims since not many know that they can be hacked within an official wallet. Maybe someone should write proper step-by-step instructions on setting electrum up which newbies can refer to.
Unless... he verified his wallet files...
We need to tell them to make an habit on verifying their files REGARDLESS of from where he downloaded the files from. If it was from a link that popped up in the official wallet, a random website, or if satoshi himself came to his house to give him a file. It doesn’t matter. VERIFY.