Yeah, kind of an amateur-ish move to move them to Namecheap.
Isn't that odd? It's really bizarre for them to have used a destination registrar which is easily reachable and responsive. Both Namecheap and Name.com are investigating, and will reach some idea of what the situation looks like from their ends. There was a period of time quite a number of years ago during which a lot of stolen names seemed to end up there, but that was something like 2005ish. Then, for a long time a good deal of them went to Ename and other Chinese registrars. I don't think it was for any other reason than the language and cultural differences can make communication and establishing credibility difficult. Many registrars do have a procedure for investigating these situations and requiring indemnification by the victim for claims that might arise from unwinding the theft.
@bhartzer is absolutely correct on all counts above. Compromising the email account but not letting the owner know what's going on is key in these situations. I have to believe that some of them set up monitors so they receive text notifications when emails are received, so they can wake up from whatever hole they are living in order to deal with ongoing correspondence.
In addition to using two-factor authentication, it is a good idea to check the procedure for turning OFF two-factor authentication. Obviously, if there is any process by which someone can compromise the account email and manage to turn off two-factor authentication without having to use it, then that is an attack vector.
In this instance, the most likely route of attack appears to have been the hosting company for the account contact email address.