The email being compromised opened the door to his email being compromised. The door to his Namecheap account being compromised was apparently already wide open.
No, OP didn't have 2FA enabled on their namecheap account. It was namecheap's fault for improper handling of the social engineering attack but OP could have protected themselves by having 2FA
I'm surprised no one else has mentioned no 2FA for the email. The email being compromised opened the door to this happening.