I have the transfer-to addresses. The thief has done this multiple times...for 7.5 BTC too, in one instance. He's not lying and has never been known to lie.
I'm sure in the same way you can be sure that if you were tasked with doing the same thing, you'll feel 100% confident that no one would be able to access that paper. And even if they did, they wouldn't know what they were looking at.
Can you imagine a scenario where you secretly write some words down on paper, three years ago, near no devices, and you store it somewhere where you absolutely know for sure no one will ever access? I can imagine such a scenario for myself.
That's what he did.
Then we have the whole Trust Wallet compromise on his iPhone.
But that doesn't explain his Ledger wallet! I'll keep saying it...those seed words were on paper, hidden from all sight, without anyone knowing they exist...for years.
Then, on February 24th, both wallets get cleaned out at around the same time. Why sit on the seed words for years?
I cannot stress this enough. The seed words on paper were never exposed.
iCloud could explain his Trust Wallet, but not his Ledger wallet (with the seed words on paper, hidden and literally not seeing the light of day for years).
I want to make it clear that the Ledger passphrase, on paper, and hidden, was not ever accessed. And, even if it was, which it wasn't, his Trust Wallet on his iPhone was also compromised.
How can someone guess both passphrases, from separate wallets, in separate locations with different words? It's literally impossible.
Whatever technology is used to generate the passphrases in each of those wallets must be compromised.