Are there any current patterns or scams that might have me with a friend that recently lost $115k?

I'm a retired tech guy that keeps my toe in the pool of how things work.

A friend of mine recently had accounts on Uphold and Kraken breeched. Whoever did this was able to transfer out some BTC from Kraken to the tune of $115k, but fortunately were only able to do a conversion on Uphold who flagged and stopped the transfer before they got a hold of 10x that amount.

He has asked I help him lock down his stuff so this doesn't happen again and I have begun the process of securing his devices. It would be enormously helpful is anyone could point me towards methodologies used so I know what to focus on. He claims to not have logged into any suspect websites or done anything that would have exposed him. It seems this person got his logon credentials out of the blue and he is spiraling wondering if someone forced cloned his phone, packet sniffed on public WiFi or other unlikely scenarios.

Before anyone says it, yes he was lax on 2FA. I am currently setting him up with a secure key and all that good stuff.