another large site, whether it be an exchange, mining pool, etc. could be logging BTC addresses & passwords for users and attempting them at other sites the user is associated with.
That is a very good point. Don't use the same password twice. Use a password manager to generate a good strong unique password every time you sign up for a new site.
My guess is you have been infected by a key logger, stealer or RAT, they've taken your password and gotten your BTC. I recommend you use 2auth next time you play on pd or in that case any dice site.
If his machine is infected, 2FA probably won't help him.
The attacker's malware could simply change the withdrawal address on the fly right after the victim types his 2FA code and submits the withdrawal request.
Depends on what he's been infected with. RAT yes, other software don't have the power to do as you state
also doesn't matter how strong your password is, key loggers take your password via cookies so doesn't matter if it's a 100char with specials and caps it still can be stolen, just not brute forced (which as I said is extremely hard to do these days).