That’s good news. You probably got cookie logged, then. Still, of course, change your passwords and everything like that.
However, one thing still worries me. You said your hacker logged in from a VPN in Moscow, Russia. I’m gonna go out on a limb and say you don’t live in Moscow. If that Russian (or Russian VPN using) hacker had your cookie and attempted to login to your account from Russia, the cookie wouldn’t work. This is because Roblox cookies are region-locked as an anti-botting measure.
So maybe he got in some other way, like with your password.