Leaseweb denied earlier reports that a vulnerability in its WHMCS billing and support system software might have been responsible for the hijack, but without naming a cause
Except they have clearly identified the "cause".
Right now, it appears that the hijackers obtained the domain administrator password and used that information to access the registrar.
So the 'hackers' used compromised account details to log into the domain registrar and change the DNS records.
What they haven't identified is how the attackers managed to obtain the password for the domain admin account.