Yep. If they did exfil, it would make sense to do before they tweeted. I expect we'll see solicitations offering to sell a copy of DMs from the affected accounts - even if the hacker didn't exfil, the public doesn't know that and opportunistic scammers may try to pose as the hacker to get BTC.

Interestingly, by tweeting a bitcoin address, the hacker could authenticate themselves to 'potential buyers' by accurately describing future transfers of bitcoin from the tweeted address.