Because mods have decided to sort this thread by "controversial" I'm replying to this post, as it shows at the top.
From u/VFR800
More detailed ELI5
The allegations were debunked quite logically for the average layperson. Their attempt in creating a vulnerability is not possible, because the DCI group draws a situation where the victim is:
(a) BOTH naive enough to follow obviously malicious instructions from an unknown attacker AND capable enough of coding IOTA transactions by hand in a code editor, OR
(b) Naive enough to enter their seed into a malicious piece of software provided by the attacker, at which point the attack as originally described no longer exists because the attacker now has the seed directly (and access to funds on ALL addresses).
When confronted about the practicality of the attack, rather than address these issues, DCI misled the public into believing the IOTA network had a vulnerability.
More detail:
Here are the steps require in scenarios A and B
Attacker asks victim: "May I please have an unused address to send you money?" or "Would you please send me a transaction that uses an address generated from your seed?"
Attacker generates a new bundle (transaction), and sends it to the victim
Scenario A
Scenario B