There was a database leak for some games and services in 2017 and I think 2018 and IIRC runescape was on the list. I noticed a huge uptick of people in my clan/FC and on reddit being hacked and I think that's what the cause is, I had to do some googling to figure out that was the case since I didn't get any notifications from my password sites. There's nothing you can do to get anything back as Jagex support has one of the worst if not the worst support systems in place for a modern MMORPG and I'm sorry for your loss as I've been hacked as well while I wasn't playing the game for years. They won't bother going for the person who got into your account at all which is rather annoying as well.
Since you have control back, first thing to do (assuming you aren't infected with anything) is make a new email account specifically for runescape/mmo games. Make sure that email has 2FA to your cell phone and make the password something you've never used before. After that set your RS account to that email and then set up an authenticator. I personally use my old smart phone that hasn't connected to the internet in over a year and hasn't had a data plan in over 6 years. After that, set up a bank pin. Bank pin is kind of annoying but honestly its the last defense and its a good deterrent for buying time as it takes 7 days before its turned off.