Sorry I read just the first couple pages of this - but - at the OP, useful would be your step by step of how they got the domain out of your account?
For example, my DynaDot and GoDaddy are both set for two step authorization. Just to login to my DD if the IP address is not recognized two step authorization kicks in.
To get a domain out of my accounts, would require unlocking of a domain, which all my domains are set as locked, until via two step authorization, I unlock them.
So...how did this happen, OP?
Suggest that you enable two factor authorization and set all your domains as default locked from now on - I assume NSOL allows these settings same as DD and GD.