It seems these are the relevant threads: https://www.reddit.com/r/ibkr/comments/18qztks/ibkr_security/ and https://www.reddit.com/r/interactivebrokers/comments/18qnnuz/ibkr_fraud/
Opening a bank account using a stolen identity might be possible but I wouldn’t expect that to be easy, so this seems unlikely for a few thousand dollars. Unless Llyod has a critical weakness that makes it easy to create bank accounts without identity checks, or there are accounts where the name is not verified for incoming transfers.
For the IBKR part, my guess would be some form of phishing. Accidentally logged into a fake version of the IBKR client portal e.g. via a link in a fake email. An alternative is that the laptop was infected by malware.
The combination of a bank account opened with stolen identity and phishing email or malware would require an elaborate targeted attack, which doesn’t make sense in this case. If fake Llyod accounts can quickly be opened, I suppose they could have opened that account after the successful phishing/malware attack, so it wouldn’t have to be targeted.
The above is pure speculation, of course, but we don’t have more information. If it was indeed phishing or malware (and not e.g. IBKR servers being hacked) and the withdrawal was sent to an account with the right name, IBKR would indeed not be responsible as I see it. That said, they could provide options to tighten security, e.g., add extra steps for adding a new withdrawal account (could be verification code via email [which must not be a new address] in addition to regular 2FA).