We're assuming the attacker logged in before updating the 2FA, right? Meaning the login 2FA was compromised, whether from Kraken or you. The first email you list says the 2FA was updated -- did they send you an email about a successful login prior to that?

Kraken-Chase, there's absolutely no way to remove login 2FA without being logged into the account, is there?

Also, is there no email confirmation required for withdrawals on Kraken? That's typically a very basic security requirement that all exchanges employ. The OP says their email account was not compromised.