Someone on IRC is pretending to be tech support, and tells users use the dumpprivkey RPC call and give the resulting information. Then he moves the coins to their own wallet.

All in all it is too easy to make the wallet leak information that can be used to steal the contents, without people realizing (its name is not obvious, like sendtoaddress).

A possible mitigation would be to disable all wallet RPC calls that return private keys by default, make them emit a WARNING, and only enabling them with a specific command line option. This would provide advance warning, and also puts up a barrier for non-technical users.

(on the other hand, where does this rabbit hole end, someone could social engineer to get someone to use signrawtransaction just as well... almost all wallet RPC calls are dangerous in one way or another)

So another, more general, option would be to show very-serious looking warning when opening the debug console, that people are using it to steal blabla. But that'd be GUI only.