I wouldn't talk about stolen as the codewords does not come mysteriously from outer space and depends on stable connections to another server = I am sure they have a contract somehow. You cannot get CWs for lets say at least 50% of the whole Sky program 24/7 (someone of all the customers here are always watching also channels like Heimatkanal I guess *g*) without the server knowing it, but basically I support the conclusion, that the CWs come from CacheEX. And cache exchange is the only way to get fake CWs an own card will not generate fake codewords, so roman237 is also right with his assumption. If you look into Oscam log you will find no error in most cases (many freezers without a timeout response but a codeword well in time) = you receiver get a codeword from server for the send in ECM but the codeword is wrong = does not decode = fake codeword.
The source of the codewords, the main server, needs to identify the connected line that generates the fake CWs and disconnect. Should be possible, newer versions of Oscam support fake codeword detection (and claim accuracy >98%) but thats only useful if you have a 2nd CW-source that deliver the right CW and that has to be done just in time (around 600ms for the whole process back to the client receiver)