2) Password updated
3) withdrawal request made to unvalidated adress
I have no clue as of yet how it is possible to update the 2FA without already possessing it.
Please help
I'm sorry that happened.
Kraken has forum reps that occasionally respond in this thread. You probably won't get much information outside the ticket system, though.
Do you mind disclosing what form of 2FA your father was using? I believe Kraken still allows users to use a second "static password" as 2FA rather than true 2FA -- something you have, like TOTP authentication on a phone. If he was using this method, it's possible he had both of his passwords compromised by a social engineering attack or hack. That would give the attacker all they needed to change 2FA and withdraw his funds.