Congrats on your first post. Regulation E continues to be a challenge to financial institutions.
I don't have quite enough information to asnwer your question so we may need to go back to our customer depending on how much of the story you have.
You mention $5K in credits that were made along with a large volume of debits. At first blush, your situation sounds like your customer participated in a Card cracking
scam. If your cardholder admits to giving their access device to a third party who then exceeded the authority given, then your customer is liable for their participation. See the definition of unauthorized EFT and supporting commentary to 1005.2(m).
(m) “Unauthorized electronic fund transfer” means an electronic fund transfer from a consumer's account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit. The term does not include an electronic fund transfer initiated:
(1) By a person who was furnished the access device to the consumer's account by the consumer, unless the consumer has notified the financial institution that transfers by that person are no longer authorized;(2) With fraudulent intent by the consumer or any person acting in concert with the consumer; or
(3) By the financial institution or its employee.
On the other hand, a customer who falls for a phishing email and gives away their card information online would be protected under Reg E based on the commentary.3. Access device obtained through robbery or fraud. An unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery.
Your customer liability will be based on your assessment of which of the above circumstances applies. Regardless of your conclusion, remember that you do not have to reissue your customer another card.