(no title)

First question; was the amount stored on the ledger stolen during a transaction? If so then he may have been exposed to the same targeted Metamask attack as experienced by an NXM founder https://medium.com/@hugh_karp/nxm-hack-update-72c5c017b48. This wouldn’t explain the BTC and LTC transactions though.

My collection of possibilities:

1. The seed phrase was exposed. Maybe not from your piece of paper, but perhaps it was saved onto a text file, jotted down into notes, captured somewhere else. I realise given the other comments you are likely to disregard this one, I get it, but it still seems to be the most likely from the outside looking in.

2. The computer used to make transactions was hacked, as per the Metamask hack above.

3. Your nephew got into trouble and needed money. I’m not saying he’s lying to you, but he could be trying to save face.

4. A device on his network got hacked and he was subjected to a pretty targeted attack which could have made false transactions on his behalf if he accepted the certificates on his device, maybe. Perhaps a worm on his computer propagated to his iPhone to read the trust key.

5. Both ledger, and Trust are compromised to remote attacks. This would mean someone has found a way to read the seed phrase from ledger and trust remotely and then dump the wallet entirely. This would also make him probably the first person in the world to face these vulnerabilities on both apps. Hopefully you can see why 1 & 3 seem more likely than this.