What a frightening experience! I'm sorry this happened to you. Curious to understand how these attacker obtain your phone number in the first place? I mean it's not something you publish widely right?
Unfortunately I don't guard my name + number like I do my passwords. Who knows how they found it, in a post equihax world I'm not sure anyone can consider this private.
I don’t mean to say it was OP’s fault but you shouldn’t really use your primary phone number for 2FA anyways. Using a burner dumb phone dedicated only for 2FA should be standard, right?
It turns out the hacker stole a dealer's ID which meant the OTP sent to my phone was never needed / used. The dealer id overrides the need for a password.