I originally thought that the 3 signers must have ALL somehow neglected to verify the receive address. But, that doesn't seem to have been the problem at all. Instead, all 3 signers' machines were able to be compromised - apparently because they were just not air-gapped?... like at all? Wow. Just, wow.
Discussion
Air gap is not an issue, not needed and not realistic - you have to transfer the data somehow. The correct solution is specialized, well-audited signing devices (AKA HWW) that have their own screen and buttons. (or simply touchscreen)
But that can't be done with Ethereum easily.