It seems to be a language issue. "Bypass" to me makes it sound like there's work involved to bypass Sandboxie when you own the kernel. There is not. As long as this is clear, we agree. This is the bit I'm trying to explain - sandboxie was defeated the moment they got into the kernel, it is purely through the attacker not caring that Sandboxie was able to virtualize the binary payload. I do expect kernel exploits to become more common, but usually held for businesses as they're more valuable and not something you'd want to give up easily. I don't think it's too likely to be a grsec bypassing kernel exploit. Without logs, which unfortunately are not available, we can only speculate, but it seems unlikely. More likely it was in a web facing service.