Once you login, you're asked to enter your two factor authentication details, right? After that, it doesn't ask you until your next login, correct? If this is the case, sounds like a piece of malware just stole the session authentication token (Cookie) and then used that (Maybe in conjunction with relaying the connection through your computer, in case Cryptsy checks the IP it was issued to).
Apparently 2FA is not as secure as I thought. That's probably what happened.
Do you mind testing something? Withdraw something, verify it, then, without logging out, withdraw something else, tell me if it makes you verify then, in if doesn't, my first theory is looking all the better, if it doesn't, what actually stops him from just deleting the mail after he's done? Do you host your own mail server? Can you get logs?
It requires email verification for every withdrawal. I'm starting to believe that whoever did that actually managed to access my email, verify the withdrawals, and then delete all the withdrawal emails. I'm using an email address from walla.com which turns out to be not so secure. I just was under the impression that by using 2FA my Crypty account is uncrackable. Well, so much for that...