I don't understand how it was possible to empty 150 different crypto wallets with just one click on a link? What comes to mind is that this user may have protected his wallets with a password that was very simple and identical for each wallet, but again, if we take into account that someone stores so much value in hot wallets, then it is possible that he also stored his backups on the same computer in unprotected text form.
Even if he used the simplest password, how did they find all his wallets and gained access to his computer to empty all of them? It's quite an advanced scam compared to the usual phishing schemes we see on a daily basis.I read the article on the link posted by @lovesmayfamilis and it seems that the matter is very simple, the person really has to literally click on a link that the attacker sends in the chat in order to download the malware, which then enables the attacker to have complete control over the user's computer, something like a remote access trojan (RAT).
The target receives a phishing message explaining that there will be changes to the employee's vacation schedule and that some employees, including the victim, are impacted. The phishing message contains a download link to the supposed new schedule, which is actually a link to the DarkGate malware. If the malicious file is executed on the target machine, it will install the malware, giving the attacker complete access to the device and its data.
However, even full access to the computer means that you cannot empty all crypto wallets just like that, unless they are not protected by a password at all, or the attacker knows which wallets the user has and prompts him to open them and thus find out the password.