another large site, whether it be an exchange, mining pool, etc. could be logging BTC addresses & passwords for users and attempting them at other sites the user is associated with.
That is a very good point. Don't use the same password twice. Use a password manager to generate a good strong unique password every time you sign up for a new site.
doesn't matter how strong your password is, key loggers take your password via cookies so doesn't matter if it's a 100char with specials and caps it still can be stolen, just not brute forced (which as I said is extremely hard to do these days).
I'm talking about using a different, non-guessable password on each site. Because if you use the same password on scamdice.com and primedice.com then the operator of scamdice can log your password when you log in there and try it on your primedice account.
Kind of off topic, but what do you mean by "key loggers take your password via cookies"?
If his machine is infected, 2FA probably won't help him.
The attacker's malware could simply change the withdrawal address on the fly right after the victim types his 2FA code and submits the withdrawal request.
Depends on what he's been infected with. RAT yes, other software don't have the power to do as you state
I would expect most malware has the ability to update itself or download and run arbitrary files, but maybe not. I figure once you're infected it's game over and the attacker can do whatever he likes on your machine.