Once you login, you're asked to enter your two factor authentication details, right? After that, it doesn't ask you until your next login, correct? If this is the case, sounds like a piece of malware just stole the session authentication token (Cookie) and then used that (Maybe in conjunction with relaying the connection through your computer, in case Cryptsy checks the IP it was issued to).
Apparently 2FA is not as secure as I thought. That's probably what happened.
Do you mind testing something? Withdraw something, verify it, then, without logging out, withdraw something else, tell me if it makes you verify then, in if doesn't, my first theory is looking all the better, if it doesn't, what actually stops him from just deleting the mail after he's done? Do you host your own mail server? Can you get logs?
It requires email verification for every withdrawal. I'm starting to believe that whoever did that actually managed to access my email, verify the withdrawals, and then delete all the withdrawal emails. I'm using an email address from walla.com which turns out to be not so secure. I just was under the impression that by using 2FA my Crypty account is uncrackable. Well, so much for that...
I thought the same thing.. Almost immediately after this happened, I checked my gmail logs to see if any foreign IP had accessed my account. None at all.
Then refer back to my relaying, it'd be super simple to do, I'm pretty sure I could bring up some example code for you in a minute, simple as:-
1. Zombie computer (I.E. you, infected), connects to owner, 1.1.1.1:8493.
2. Zombie computer (I.E. you, infected), also connects to gmail.com:443.
3. Zombie computer (I.E. you, infected) then forwards all incoming traffic from gmail to the owner (1.1.1.1).
4. Zombie computer (I.E. you, infected) then forwards all incoming traffic from the owner (1.1.1.1) to gmail.
No foreign IP addresses, as, everything is router through you. In fact, this is probably one of the most common tools in a botnet program, not only for this, but, to be able to then execute not-so-legal things from someone who isn't linked to you.