It was an address that we used for various development/testing purposes, so it's not too far-fetched that somewhere along the line it got compromised.
They probably weren't even aware that the NFTs were in the account. They likely only cared for the ETH and ERC20's.
This is actually the address we originally used wayyyyy back in the day to send people eth to pay for the gas to withdraw their dao after the hard fork. It never held much money and was never stored securely (e.g. it was shared with various parties back then when I would be afk for any amount of time). Lesson learned nonetheless. It's amazing it was used successfully and without compromise for so long, tbh.
From my personal understanding, it wouldn't need to be a smart contract necessarily, would it? Couldn't it just be a script that watches the balance of the address and attempts to send a TX for that balance minus the estimated gas cost?
/u/insomniasexx may have a better answer.
Yeah it's most likely a script on a server somewhere (maybe nodejs maybe php maybe go 🤷♀️) and a node. Basically it checks if any money came into one of the watched addresses that they have a private key for. If so, it would construct and broadcast a transaction from that address.