The best course of action for you is to contact you local law enforcement.
Exchanges will be able to reveal bad actor identity because he was KYCed.
And you will be able to get your funds back.

Try to avoid the following your mistakes in future:
Do not to reuse old passwords
Do not use same passwords on multiple services
Do not use passwords with you name
Use strong unique passwords especially in financial services

Because ultimately your mistakes allowed the bad actor to simply login to your account. He was not even trying brute forcing, he just logged in. Because he knew your leaked password.