So the Tx from Kraken (in the mempool) is considered unconfirmed, and because it is in the mempool, it's ok to spend the utxo of this tx in another Tx?
This can obviously be only done by some mempool-watching bots.
This is very common for
leaked private keys: one or multiple attackers have bots competing against each other to be the fastest to steal any incoming funds.
And why is such a hack possible?
This is how Bitcoin works: anyone with the private key can move funds. The only thing that's left now is find out how the private key was leaked, and make sure it never happens again in the future. Considering the funds involved are quite significant, this should only have been send to a cold wallet. Hot wallets are inherently risky.