Clever lad but horrible opsec. Sounds to me like Indexed Finance had bad business logic and they had it coming.

There was no break in or exploiting, it was a trade using flash loans, fair enough if you ask me. A platform trading hundreds of millions should invest in proper security audits

What's the lesson? Maybe tornado cash the gas tokens before doing stuff like this and definitely never post it on social media or acknowledge that you did anything. Be smart and have good opsec