You’d think the answer would be simple. The exchange, of course. Should have used multi-sig keys – or if they were, should have enforced them more strictly. Should have kept funds in cold storage. Should have watched for suspicious transactions. If an exchange gets hacked, it must have had a security weakness. It’s hard to see that anyone other than the exchange’s developers and operators are responsible for this. More….