Condoras, which steps did you have to take before this happened? Just clicking on "claim NFT" only? Or also enter your password and/or seed phrase?
I surely hope the latter too, otherwise it would be too easy for those scammers.
He connected his wallet to the scam site. Of course, the authorization/sign had the permission to move fund or he signed a contract which allowed the hacker to move funds. That's how it happened.
There's nothing to blame Ledger, they can't do anything. I see a lot of spam NFTs in my wallet, it's not my wallet but hacker/scammer trying to trick me.