It sounds very odd that someone getting a hardware wallet (knowing what the Hardware wallets are for) ends up typing down its own seed during the setup.
Worse! It was after the setup. He set up his wallet and then he moved his coins to it. After some time, he claims his wallet notified and instructed him to visit a website (which he believes wasn't the genuine Ledger website, obviously). It was on that website that he entered his seed, and shortly after had his wallets emptied. I have never heard of a scam involving this last step.
- not a word of the phishing website, again weird, hot the hell don't you remember it?
He doesn't even have to remember it. He could look it up in his browsing history. Maybe he doesn't know that either or will tell us he ordered it in incognito mode.