It is an interesting question. Physical security is significant. On the other hand, the physical server is not necessarily the set of digital controls that establish the server's authenticity. The significant part is performing something similar to a "Turing test" whereby the capturer continues services just as if they were the previous operator of the service (but without the security holes).

OTOH, if the capture failed to also capture banking flows from customers to the service, then the capturer would have a paddle-less canoe.