He connected his wallet to the scam site. Of course, the authorization/sign had the permission to move fund or he signed a contract which allowed the hacker to move funds. That's how it happened.
There's nothing to blame Ledger, they can't do anything. I see a lot of spam NFTs in my wallet, it's not my wallet but hacker/scammer trying to trick me.