If found
another article , and it says that stolen cookies can be used to fake the identity of victim's machine, and thus login without a 2FA check on some sites. However, there are still a lot of unexplained details, like how they avoid 2FA checks on withdrawals, how do they spoof IP address and so on.
Faking the identity of the victim's machine will not make you bypass 2FA, I have 2FA setup on all my exchanges and I always asked to enter my 2FA and I never changed the computer I am using with my exchanges, also in some exchanges like Bittrex I always have to confirm by email+2FA if my Ip changed. I don't see in the article any mentioning about the way the attackers get bypass 2FA and if they are talking about the old one-time text message it still can't be done because it is only valid for one-time logging and for a limited time.