There is no evidence that a Twitter employee did these changes. In fact, the MO matches a hacked account that was sold on the dark web.

Hacked accounts are one thing, a dime a dozen for accounts without 2FA, but it's an incredibly rare instance to have a 2FA-enabled account hacked.

Obviously an alternative explanation could be the case of a very successful phishing campaign done against Twitter (=someone pretended to be William LeGate and convinced support to remove 2FA)... but that would also be a pretty loudly blaring alarm sign on its own given the potential for anything from Bitcoin scams over market manipulation to causing a war that Twitter still has.

100% believable, I'm sure that the data security rules at Twitter are basically completely gone at this point.