That depends on whether they hack the site to actually feed the malicious content or just get enough of a foot in to get it linked from an actual hosting location. If what they have is a database hack where they can inject some content but don't have full control, they may be pushing links while trying to get further access.