I doubt it's that: I would have worked out the target sites hosts (looking up the IP), made a list, worked out the most popular by value - probably worked out it was linode and gone from there...once in, I'd bet it's a simple task of searching for the IP in their interface.
Ok, asking the other way around, did Linode check out the non-attacked VPSs to determine whether they didn't have bitcoin wallets on them?
I'm not disagreeing with anything else said here - it's just that it seems that the memo was very conclusive in stating something that couldn't be known unless there was more VPS introspection than they claim...
