I can't believe in this story, we need some proof.
If you have 2FA, you need the device to get the pass code that changes every 30 seconds or the hacker is like god and can bypass it.
In bittrex, if you acess from differente IP, you need to confirm via email, so hacker need to hack your email too.
Not impossible but its very hard to get something like this.

I think your friend doesn't have 2FA, only email alert, so if his password compromised he got hacked.