I assume that OP didn't actually purchase the bitcoin 25 minutes before the transaction with the thief like Csmiami suggests. More likely is the bitcoin were already on his Binance account and had been for some time, he simply withdrew them to his own wallet shortly before meeting up with the thief. And the first transaction for 10,000 satoshi was presumably a "test" transaction, to ensure the addresses were correct and there was no concern regarding clipboard malware, fake QR codes, or whatever. Once they saw those 10,000 sats show up unconfirmed in the thief's wallet, he then made the rest of the transaction.