I can think of at least one far out but possible scenario that would explain all of the details.  If your PC was compromised and something on the PC routed your entire browser session through a proxy controlled by the thief then this should be possible.  The 2fa is time based so the exact same code is good for about 30 seconds. If they routed your browser session through their proxy and then hijacked it man-in-the-middle style and then used a script to initiate withdrawals pretty much on the spot, then the same 2fa code would very likely be valid.  That proxy could also explain why you couldn't load the page for a bit after you logged in.