Sorry Op, I did not actually understand the story fully.
According to the story above, Alex is only in contact stage with the alleged or to-be partners. What really happened, did he disclose his private details at the course of the meeting?
Could it be that they hosted the meeting with tools like TeamViewer and he gave them unrestricted access to his computer?
He claims that interviews took place over Microsoft Teams, and that he was given an official link. Somehow I doubt it was an official link. They might have tricked him into installing a malicious extension followed by malware specifically created to find crypto wallets. What happened next is unclear. Perhaps it was drainer malware. Perhaps a keylogger that tracks and takes screenshot of everything you do. Perhaps a cookie hijacker that steals your cookies and allows you to access everything the other person does online. Who knows...
Thanks for listing the possible loopholes. I align more with the cookie hijacker because this can happen without Alex knowing. I doubt that Alex was tricked to installing malicious extension. This will only happen when he is so comfortable with the intended partners. I believe they already talked him into trusting them as he reiterated that he dealt with the officials.
Also Coyster could be correct that they exploited a vulnerability in the video conference software.
The end point is not holding such a large sum in a hot wallet which I believe Alex would have been aware of.