Bad opsec or inside job.

Would like to give the benefit of the doubt, but we'll probably never know for sure.

Silverlining - this has sparked a lot of conversation and change how CCS proposal funding is done that minimizes trust in the holders (multisig) or straight up don't require them at all (direct funding from community):

monero.observer/cypherpunk-transmission-017-rethinking-monero-ccs-cypherpunk-proposal

I'd prefer the latter and like this proposal