At some point two years ago, before Ledger introduced the confirmation of the receiving address on the device, there was an attack where a malicious script would change the address shown in the Chrome app (and it was very easy to do as well ... a few lines of code).
I don't think that's the case. As o_e_l_e_o already said, after 2 years, funds have not been moved yet.
Then the derivation path problem is more likely indeed, he can check the edit of my reply and try this.