That's super shady because I know for a fact I didn't use a phishing website, the session ID even works.

I hope that's not what they say because it would be typical excuse. I might start video capturing each session now and my trust in them would be lost.

I was using them for about two hours pushing 0.25 - 0.3 bitcoin through at a time and then this.

For me I went to the .com and the session ID works so hopefully there is no excuse.