How is this person draining Ethereum wallets?

https://etherscan.io/address/0x5e0a89dcee7bd3bc8b764f87a9448522aeece368

Someone gained access to my Ethereum wallet and drained half of its tokens to that account above. It appears that the person methodically did the same with a number of other wallets. My wallet that was drained is relatively new and only connected from one Windows machine through Metamask Firefox extension. A Malwarebytes scan was negative. It is not plausible that anyone had the keys or passphrase, except through my computer or Metamask. How did this person get a list of credentials to go through like this? Is there any post-facto forensic ideas I should think about? How can I connect and yield farm safely at one or two places without exposing myself to this again.