unencrypted wallet, I take it?
No, he said on OP, open RPC (well, maybe the wallet was unencrypted too, but it doesn't matter, that's not how it was stolen). Summarizing, it is as if his bitcoind node was accessible by anyone on the internet that happened to know his password, and apparently the password wasn't that strong since it was bruteforced. The attacker just requested the victim's bitcoind to send him money, and it sent.
aren't private keys encrypted, therefore even with open RPC one would still have to decrypt them before a transaction could be made? In other words, an attacker would have to know rpc username/password and the wallet password?