You know what is surprising here is why he even received codes in the email when 2FA is enabled in his account.  Why, can you choose where you want to receive the codes such as email even if 2FA is turned on?  The hacker who knew his login details tried to reset his password.  When you opened your email did it not mark as read?  This means that he will not be able to access even your email to get the codes.  Good thing that even that is already 2FA and the secondary layers of protection work.  Didn't you notice anything unusual about your account activity such as trade history?  So the hacker has not been successful in having full control or access to your account.

If some of your remaining coins are not supported by a hard wallet just use their official wallet because you are almost certain that you will hold your private keys or mnemonic phrases.  Or you can also use some trusted and recognized non-custodial wallets.