It sounds very odd that someone getting a hardware wallet (knowing what the Hardware wallets are for) ends up typing down its own seed during the setup.
Worse! It was after the setup. He set up his wallet and then he moved his coins to it. After some time, he claims his wallet notified and instructed him to visit a website (which he believes wasn't the genuine Ledger website, obviously). It was on that website that he entered his seed, and shortly after had his wallets emptied. I have never heard of a scam involving this last step.
It would not make sense if the device itself prompted him to visit a fake website, I don't know how the attacker would mess with the device itself that way... What are the chances he bought a counterfeit Ledger or the Ledger box as altered so we would visit the fake website after going through the setup.
Anyways, still he was a victim of lack of information and his own ignorance. Anyone who would know at least a little bit of the functionality of a HW would be aware that typing down the seed anyone is a bad idea.