If you lock the e-mail in the settings of scrypt.cc, a scammer/hacker/phisher/whatever would need to have access to both your account AND your e-mail, and know or bruteforce your PIN, before they could withdraw your money. Did all people that got their money stolen have their e-mail locked in the settings?