Ok, let's elaborate...

Usually, the C&C server is a rented virtual server, hosted on a "cloud provider" with little regard to identity verification. Those servers are always paid for with money from an untraceable source (like Webmoney or Western Union). This makes very difficult to track identities from the server to the money, and from the money to the owners of it.
VPS providers running Linux are plenty out there. And a remote Linux server is easier to manage than a remote Windows server [citation needed]. Deploying the C&C server infrastructure on Linux, using stolen SSH passwords with bots is way easier than do the same using rdesktop to deploy the infrastructure on hacked Windows servers.
So, probably the server is a virtual Linux server sitting on a datacenter, and the owners of the datacenter may not be aware of the fact that they host a C&C Server.

On the client side, they are surely running Windows. Compromising a Windows user is easier than a Linux user. Linux users generally does not run SSH, Apache, MySQL et al. Linux servers do. On the other side, there's a massive amount of pirated versions of Windows XP vulnerable to a wide range of local and remote exploits. Sending a threatening email with a link is a very easy way to get a user hit a site hosting an exploit pack and get infected. From there, the computer is owned and the user is owned as well.

It can be a directed phishing. If someone had access to the bank's client list, they can send a very convincing email with real data, and get a lot of customers infected. If they send a generic email to a lot of unrelated people, someone will notice and probably inform the bank of the attack.

The C&C server probably runs Linux. The stolen victims problably runs Windows.

Looks like you know nothing about mainframes and "aged technology". I work with mainframes. zVM, DASD, DirMAINT, RACF and other buzzwords are in my resume, along with Linux, Java, PHP, XML, jQuery, MariaDB, HTM5, Eclipse and others.
Mainframes are not aged technology. They are perceived as such by small companies and people. Big companies with big bucks know a lot about mainframes. They know mainframes are the most reliable hardware platform on the market today, and I guess it will continue as so for a couple of years, because mainframes were made from the start to be reliable. Other platforms got they reliability implanted on them. Mainframes were designed reliable and resilient.
Mainframes today runs Linux too, not only the "aged mainframe operational systems." And here we have mainframes running hundreds of Linuxes with jBoss. They are about to be orchestrated by OpenStack, so managing all this "aged technology" will be done in brand new Android and iOS tablets.

Job prospects in my area, at least for the next decade, are very good. Half the openings in my area are still open, paying for a intermediate zVM administrator almost twice what a senior Java programmer or MCSE will receive. And there's no people applying!
But if the mainframe job market have a problem, is lack of people. Mainframes are not user friendly, and youngsters are not likely to devote two or three years learning something from the grannies, on a very harsh learning environment, with a step learning curve, when all their peers are talking about creating a new app and selling to Google for a gazillion dollars.
Peer pressure is a greater force than job prospects. I faced this pressure when I talked to my peers that I was learning mainframe and everybody laughed at me. Now I earn 3 times what they do, and I am training some of them to work with me.

The front-end is HTML5/Javascript. The daemon is written in C++, using a few open source libraries. It would only require a good C++ developer to port it to Windows.

And the entire protocol is opensource, the core technologies are opensource, so anyone with a good knowledge in C++ and any other language can port it to anything...

Yes, and you can use it as an excuse when you "mustype" something:
-It was the keyboard! It's a typo!

Is in Rio de Janeiro, were the heat is setting off sprinklers.

How this ended up on /. frontpage is still a mystery to me...

They have a small, experimental tower, and users can saturate it quickly. Limiting each call to 5 minutes means that even on a saturated situation, everybody can use the system. You get dropped and enter the queue, and you can be sure that you can get access again later. If there's no such rule, some users could talk 4 hours straight and deny access to every other user. Here in Brazil we have dropped calls every few minutes and almost everybody accepts this as normal, so I guess the Mexican folks can handle that fine.

Let's pretend you have a million bucks on some bank (do you have, don't you?). The bank says it will protect your money with their lives, and everything is secure. Someday you hear that one researcher (or troll, or terrorist) went to the parking next to the bank, started a sniffer, and discovered that your bank uses unencrypted WIFI networks, so he added a private IP address to its network card and could access all bank servers and read data from any account.
Who would you blame? The bank or the guy?

I still think that Weev is not a saint, but AT&T is to be blamed here. AT&T had to get a hefty fine for gross negligence, putting hundreds of thousands of customers in danger. Weev must be fined too, but serving 41 months of jail time is too much, IMHO.

No, Weev is not an independent security researcher, he is a troll. BUT he used the same tools the researchers uses. It's like passing a law outlawing the use of lockpicks. Surely all thieves would be affected, but it would affect locksmiths too.
If Weev loses the appeal, the traffic on full-disclosure mailing list will drop a lot. If I discover a bug on Paypal website that allows anyone to access a third party's account, and I inform Paypal, I would be guilty.
Even Weev being a troll and thinking on making profits over the AT&T mistake, the problem is shifting the blame for exposing the innocent victims from AT&T to Weev. The way this is going, looks like AT&T did everything right, responsible, blameless, and a evil hacker with super-human powers hacked their NSA-grade secured servers and stole the data, when what really happened was that AT&T didn't even bothered to protect the data in any way.

Nothing that the might checkinstall package cannot solve. Install it on your compiling machine, ./configure && make && checkinstall make install

It will create a shinny native package, compatible with your distro, ready to be installed with dpkg, yum, or whatever package manager you happen to have...

Or go full source and get a Gentoo distro...

And Microsoft is dangerously passing the message "don't buy now, wait until we give you all a huge discount later" for its customers.
Zune? Flop. Discounted and still flopped...
Windows Mobile Phones? Flop. And Lumia is even behind Blackberries
Surface? Flop. Give it for free to say we have marketshare.
Xbox One? Walking down the flop path, but some hope still exists...

If the system is running fine for decades, what is the chance that it would suddenly die for no reason next week?
It's a very good hardware platform, made to last for centuries. Is different from your brand new GPU card that will fail and die in 4 years. Mine have not failed yet, but will soon.
Almost all the banking business in the world runs on COBOL, compiled almost 40 years ago, and that keeps running and running. Why replace the core COBOL with Java or .NET, if they are working just fine?

Rest assured, the trusthy PDP-11 will keep the nuclear plant running safe, as it has been done in the past couple decades.