https://www.reddit.com/r/NucleusMarket/comments/3djxcb/nucleus_purchase_sent_coins_to_wrong_vendor/
Exactly the same thing happened to me yesturday, to the same account, it appears the mods have noticed but have done nothing about it.
Explanation: Its seems like after the site update on the 15th a user, yet to be identified, was able to access the site code that handles purchases. When one makes a purchase with a vendor, the transaction really occurs between your account and a vendor account named "dreadheaddrilla"
This "dreadheaddrilla" is obviously a front for this "hacker" to get your coins without requiring a pin. It also appears this little trick gets him your account also since my password was also changed.
Please get this information out there, admins have "locked" the "dreadheaddrilla" account but won't respond to tech support tickets, nothing on the forums (unable to log in or create account), and it very definitely isn't a phishing scam since the mechanism has been identified as occuring when you order from legitimate vendors.
Potentially an XSS injection in the original listing you purchased, send me a link to it and I'll investigate this later since it has come from an established account. Send me as much info as to what happened.
Edit: wouldn't surprise me if they haven't validated listing descriptions, usernames weren't validated until about a month ago.