Not Ledger's fault but good on them on trying to figure out what happened. My initial thought was he bought a tampered HW from a scammer but he says phrase was reset a week before. We can't be sure if that resetting was true though.   

What do you mean? If you say it's a vulnerability in erc-20 code, then I doubt it. Nobody can just take tokens away from someone's hardware wallet.

---