3. Once the 2FA email was changed, he either used a brute-force attack to crack the password or more likely he already acquired it from numerous user-data leaks, which is how he was targeting the accounts in the first place.
You do realize that this step is unnecessary if he would have an access level that allows him to disable 2FA and change the email address, right?
How? He still needs password to access the wallet.