But how about the cosigner keys/seed when you setup the MultiSig wallet?

How did you set the cosigner 2 and 3 during wallet creation, there are options there to either put a master (private/public) key or seed:


If "Cosigner seed", and you pasted your Exodus and Trust Wallet's seed, then the hacker can just use that MultiSig wallet to spend without needing your Ledger device to cosign.

If "Cosigner key": Did you pasted your Exodus and Trust Wallet's master public key or master private key?
If the latter, then it's the same as putting the cosigner seed, the MultiSig wallet isn't properly setup.
If the former, then it's something else, probably compromised backup seed phrases.