Anyone intentionally exploiting a vulnerability (erm...."programming mistake") to drain funds is not a "regular user".