I have the same problem - my deposit in Bittrex was stolen through API-keys without withdrawal enabled.
Bittrex techsupport closed my tickets with standard bla-bla about phishing, viruses, phone, e-mail ang 2FA hacking and so on.
After third attempt they had to agree, that withdrawals were made with API-key.
Next question - how it was possible - my keys were without withdrawing, I received answer, that thief changed API key (enabled withdrawal), stole deposit, changed API key again (now my API without withdrawal enabled again).
Have to note, that change API-key properties requires 2FA confimation at least. And my phone was with me all time long (protected by password/fingerprint)
And yes, I checked my phone and computer for viruses, trojans etc. - there was nothing, of course.