You mentioned being hit by a trojan. I'd recommend starting there and letting them know about that. Then mention how your business's domain-name was stolen because of the security hole. Once they realize a business is being effected; hopefully that will get you a little more than ok thanks, here's your number. We'll call you.
I'm not saying this is an easy fix; but it IS Cyber-crime. I'd also consider talking with a lawyer if you can pony up the money.
And (not at you) ROFL down-voted for suggesting contacting the FBI. That's ok, keep paying taxes and not getting your money's worth. Government is there to help; they make a mess of things but they are better then a-LOT of the alternatives in other countries.
You are probably fucked in that regard. Unless the miscreant happens to be in the same state as you, local cops aren't interested. And the FBI won't look at anything that doesn't have at least $10k in demonstrable damages. At least that's how it went when I tried to deal with a loon who was DOSing a friend's side project.
Under US law you would use the civil court system to recuperate losses/damage (crimes against a person), and criminal court system to place the perpetrator in jail (crimes against society). This really is a bleak abstract of the US court system, you really should talk with a lawyer if you are considering further legal remedies beyond what ICANN policies offer.
This is why two-factor authentication is vital for email accounts. It's just too easy to accidentally reuse your email password somewhere, and then things like this can happen. With a second factor, someone would have to physically steal your phone or OTP device to access your account, and that's a lot harder for some hackers in China to do :)
It happens accidentally. I use different passwords for different services and remember them (rather than store them in a database). Once in a while, I'll type the wrong password into the wrong site. That's game over; the account that actually used that password is now compromised.
This is an important point: Type in the wrong password, and you've potentially given away the account that that password belongs to.
And, other things being equal, the more visible your "presence", including the account that the password belongs to, the greater the risk of compromise.
Did you type that wrong password into a dodgy site? Did you type it into a site that does not use https? While on a relatively more unsecure connection?
Even if you trust the ethics of the site, how do they log, and are those logs secure?
Well not set expectations lower, but rather more realistic.
Sorry to read what happened to you, throwawayhelp. As one who's worked with similar cases in my ex-registrar life, unfortunately I'll tell you right now these things do take time.
As mentioned earlier, give it about 24 hours. While we all want things immediately or done right away, things aren't always as simple as we want to believe.
As long as you contacted NameCheap right away and gave as much information as possible, they'll at least take action. Good luck, and keep folks here posted when you can.
It's been tough sleeping this week and pointing me to the ICANN process makes me feel a little bit better that there is hope!