But how about the cosigner keys/seed phrase when you setup the MultiSig wallet?

How did you set the cosigner 2 and 3 during wallet creation, there are options there to either put a master (private/public) key or seed:
https://www.talkimg.com/images/2025/02/18/qmO7D.png

If "Cosigner seed", and you pasted your Exodus and Trust Wallet's seed, then the hacker can just use that MultiSig wallet to spend without needing your Ledger device to cosign.

If "Cosigner key": Did you pasted your Exodus and Trust Wallet's (master) extended public key or (master) extended private key?
If the latter, then it's the same as putting the cosigner seed, the MultiSig wallet isn't properly setup, it's a MultiSig wallet already capable of providing two of the required signatures.
If the former, then it's something else, probably compromised backup seed phrases.