Looks like malicious party was not only malicious but also stupid. There’s no reason whatsoever to use the same key twice. Anyone can write a simple function which will generate an infinite, random looking but deterministic, the sequence of keys. And use this data to give a unique picture.

“we still have no idea whether the current site owner is the malicious party” — lol, what? the owner has swapped random generation with deterministic from the server, it 1000% malicious party.