Out of curiosity, is it a mobile authenticator you use? Is the authenticator tied to some kind of account itself?
Just to add to this. As you have e-mail access I have gone ahead and secured your account while you take steps to secure it. I have removed the ban also.
I would recommend ensuring that your e-mail and method of authentication are secure and that you are using two-factor wherever possible. I would also recommend you ensure you have no inbox rules set up with whichever e-mail provider you use as hijackers are able to use inbox rules to forward themselves your e-mails.
The same goes for your actual account. When you are able to log into the Runescape website please make sure you remove any connected accounts you do not recognize if there are any.
You could take an extra safe step and virus scan your devices. The above is my personal recommendation.