1) How the malicious party gained access to your account(s) in order to approve the transfer. This is typically caused by an email address compromise and something you will deal with directly with the email provider (be sure to request logs of recent access to your email account ASAP, this will help later). Also, change your account password on this account immediately and scan your local machine for malware.
2) The more pressing issue for you though is retrieval of your domain. Luckily ICANN has a very specific process on how to handle this, and it's mainly up to your registrar to handle for you. So contacting your registrar is in more cases all you need to do (remember, this isn't a basic support inquiry though, so you may need to wait for the fraud/abuse staff, depending on the registrar.)
You can review the specific process the registrar should be following here: http://www.icann.org/en/help/dndr/tdrp it's the official 'transfer dispute resolution policy'. I have handled these at the registrar level and 95% of the time it goes smoothly as long as the facts are laid out for all parties. Information such as the IP who accessed your email account at the time of the reg. transfer is one of the key pieces of evidence you can provide your registrar to make the transfer dispute go faster, however your registrar is likely (obligated under due diligence) to have their own records of the transferrers IP who approved the request.
I wish you the best of luck, I can't really help out specifically with your case but if you have any questions about the TDRP procedure feel free to ask.
P.S. "Step 3" would be to address any losses, if you want to seek this option out you will need to lawyer up as any damages claimed would have to be recovered in a civil dispute (this is presuming you are presiding under US law/courts)
You are probably fucked in that regard. Unless the miscreant happens to be in the same state as you, local cops aren't interested. And the FBI won't look at anything that doesn't have at least $10k in demonstrable damages. At least that's how it went when I tried to deal with a loon who was DOSing a friend's side project.
Under US law you would use the civil court system to recuperate losses/damage (crimes against a person), and criminal court system to place the perpetrator in jail (crimes against society). This really is a bleak abstract of the US court system, you really should talk with a lawyer if you are considering further legal remedies beyond what ICANN policies offer.
1) How the malicious party gained access to your account(s) in order to approve the transfer. This is typically caused by an email address compromise and something you will deal with directly with the email provider (be sure to request logs of recent access to your email account ASAP, this will help later). Also, change your account password on this account immediately and scan your local machine for malware.
2) The more pressing issue for you though is retrieval of your domain. Luckily ICANN has a very specific process on how to handle this, and it's mainly up to your registrar to handle for you. So contacting your registrar is in more cases all you need to do (remember, this isn't a basic support inquiry though, so you may need to wait for the fraud/abuse staff, depending on the registrar.)
You can review the specific process the registrar should be following here: http://www.icann.org/en/help/dndr/tdrp it's the official 'transfer dispute resolution policy'. I have handled these at the registrar level and 95% of the time it goes smoothly as long as the facts are laid out for all parties. Information such as the IP who accessed your email account at the time of the reg. transfer is one of the key pieces of evidence you can provide your registrar to make the transfer dispute go faster, however your registrar is likely (obligated under due diligence) to have their own records of the transferrers IP who approved the request.
I wish you the best of luck, I can't really help out specifically with your case but if you have any questions about the TDRP procedure feel free to ask.
P.S. "Step 3" would be to address any losses, if you want to seek this option out you will need to lawyer up as any damages claimed would have to be recovered in a civil dispute (this is presuming you are presiding under US law/courts)