Hi Rob,
After combine some clue i think they can not decrypted cause hacker no need access my computer to send away BBP. I am never unlock the cold wallet, if send or start SANC wallet prompt the passphrase (as my remmber this still not unlock permanent the wallet ) and the character still * when i typing. So the last maybe got keylogger.
I was also thinking that if they transferred the physical wallet file they could have sent the BBP from their node (but sometimes hackers deliberately do things to throw you off).
But anyway, I agree with you that the most likely scenario is the characters were logged- the first thing I would do is check all your running processes and see if any are Trojans or viruses.
If you have a running process that is a virus, it could have an integrated keylogger and may have been running for a while on that system.
They might have logged in with the same 6 character password into teamviewer (IE that might be how they discovered it) - the worm was first injected in your machine, ran as a keylogger, then they discover a password, then they install teamviewer server, then they log in with the pass, then try to steal anything they can find on the machine etc.