Sorry for your loss. Just going through your post I have some comments and some suggestions.
Since 2018, I've been using a Bitcoin Core wallet (full node, but slightly cut down with a log block limit of about 30 GB + headers, etc.) on my own server (Ubuntu 16.04). The wallet was used not only to store BTC, but also periodically to deposit and withdraw BTC. Interacted with the node locally on my server.
I don't like mixing servers and wallets. If I'm opening a node to the network, even just my local network, I wont ever use it to open a wallet. Maybe overkill on the paranoid side, but just because I'm paranoid doesn't mean a hacker isn't trying to get at my coins.
Unconventional key generation. I didn't go through this code, but I couldn't help but notice that bitcore-mnemonic is a Java applet. As far as I know web-browser and Java a based seed generators won't provide the same entropy that a python or C++ seed generator can. Again, to my knowledge this is due to whether the applet can access the CPU's ability to generate randomness, and I don't know if this particular Java app can do so. If I'm wrong in this instance, this could be a non-issue.
The mnemonic was stored on the server, and also in my encrypted file with keys (strongbox), I did not decrypt it and did not use it in open form from the moment it was generated and placed in the wallet, because there was no need for it. Several backups of wallet.dat also resided on the server and never left it.
I don't know if this had anything to do with your hack, but storing seeds digitally, especially on the same machine as the wallet isn't very secure no matter whether the info is encrypted or not. Loss of the machine could mean loss of your funds and all the backups.
Only I exclusively had access to the server via SSL, it was done from reliable places and with all precautions, and no extraneous activity on the server was recorded before, during or after the situation.
Please correct me if I'm wrong, but this makes me think you were using a third party VPS provider to run your node and wallet. That's a big security risk in my opinion.