Thanks for all input but there are still many questions. First of all trezor gave me the explanation that i got hacked because i entered the incorrect website
https://wallet.trczor.com/However the browser history shows a visit to this fake website one hour prior to the hack. On the time of the hack the browser history shows i was on the correct and legit Trezor website. In addition my Trezor transaction sheet shows a payment to Bitrefill and at exactly the same time a transaction (hack) which lead to the hack of 28+ BTC!!
When you were on the fake page did you enter your seed/passphrase or maybe you downloaded the firmware? The site itself shouldn't do any harm to your hardware wallet, but it's possible that you infected your computer with some malware or keylogger, so that the moment you were on the legitimate site and made a transaction to Bitrefill, the hacker used it to perform one unauthorized transaction.
What’s weird is that the hacked coins didn’t move from the address they were moved to, which reminds me of this case
Fraudulent transaction along with the correct one(Ledger Nano S + Electrum). Of course it's about another HW and Electrum, but the similarity is that in both cases coins are not moved from alleged hacker address.
Therefore, there is a possibility that these 28+ BTCs are still in Trezor, but they are hidden in some strange path. For more information visit this link ->
Change path protection.