Glad to hear you were able to mitigate the attack. All too often we only hear about the opposite result. For 2FA a hardware security key, like a Yubikey is your best option. Most large exchanges support using a Yubikey directly. If someone has access to your phone they could gain access to your software 2FA authentication account, but a Yubikey requires physical access to use, similar to a hardware wallet and is something a hacker or someocan't do. It also has an authenticator app to use 2FA on websites that don't support using security keys. The Yubico authenticator app requires the Yubikey to use, so it's safer than using 2FA apps like Google Authenticator or Authy.