Situation update. I reporded about this scam first time to binance 29:th or 30:th november.
After reviewing the case, we have concluded that this was not due to a vulnerability in BSC.
The 0 transfer from your address 0xb410e3d622D1072eE3E1cc6cdc90120E657977F7 to scammers address 0x27feaafd9b46b74bee510a0a538615d2ff639871 was not a withdrawal but a call to the token contracts
https://bscscan.com/token/0xe9e7cea3dedca5984780bafc599bd69add087d56#writeContract transferFrom function. The transferFrom function does not require the private key of the sender address if the amount is 0. Anyone can call transferFrom with any address + 0 amount in token contract.
Note that this function is not specific to BEP20 but to ERC20 tokens as well. If you check this contract from Etherscan (and other token contracts)
https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#writeContract, you will be able to find and call the same transferFrom function.
2. What the scammer has managed to achieve was to use the function to his advantage and target users who would copy the scam address from the previous transactions, trick them into thinking that it was a legit address and make a deposit to it.
Scam continues and new victims loss money. Now passed 8 days since i reported about this vulnerability and binance even did not inform when it will fix this vulnerability.