A well programmed random number generator is going to be better than kind of "random drawing". The problem was the lack of oversight in having the code be submitted. Any code changes that would hurt the reputation of an organization this badly should require multiple sign offs by code reviewers.
Now, it is possible that this got past the code reviewers, in which case I either congratulate the fraudster for some real underhanded coding, or I accuse the code reviewers for being inept.
It is also possible that this came from the IT angle, in which case I congratulate the fraudster on being able to understand the code, the deployment process, and the steps to hide it all.