adding mail confirmations for withdraw will be solution
If the 'hacker' has access to the account, this means your email address could got compromised as well if he knows what your email address which is linked to the PD account is. The simplest solution to this is to force a 2FA for every account , this is the simplest yet the toughest thing to break for the hacker
yes if they hacked highly possible their mail got hacked too but at least they will see confirmation mail on their mail or they will see their mail password changed too so they wont doubt someone at pd staff got their coins