Kann ein TREZOR eine gehackte Metamaske schützen?

No, he would have to MOVE the assets to the new trezor wallet. The old wallet is already compromised and nothing can uncompromise that.

No

Not related much to the matter but a tip, next time have your friend and yourself set up a passphrase which acts as a 13th word and only every input it on the Trezor itself.

No, if someone has your seed phrase then they don’t need the physical device. (Your seed IS your wallet…)

the real question is what private seeds were abducted? if it was your friend’s MM wallet, then incorporating it to a HW wallet can still work providing he transfers his assets immediately to it from MM.

of course this isn’t advice i would suggest as a long term solution, it’s best practice to create a new MM wallet and incorporate it to a new HW wallet.

I don’t know, I would just move all funds to a new wallet. Then get a trezor and add it to the new wallet, keep valuables on trezor account. Would this not fix it?

When you link/pair your Trezor to Metamask, it links to a different Ethereum address than the primary account you use when you first setup Metamask.

The Trezor linked address will require the hardware wallet to sign transactions.

The primary account will not require hardware to sign transactions.

If you move all the assets to hardware controlled address, then you will have the protection of hardware signed transactions.

In your friends case, if a hacker already has the seed phrase to the primary account, they may have it set up to instantly retrieve any Ethereum that is transferred to that address. Since you need Ether to move tokens from the old address to the Trezor controlled address, it is possible that it may be stolen as soon as you put any Ethereum in that address. So, practically it would not be a good idea to attempt to move those tokens, given that you may lose whatever Ether you send to that address to pay for transactions fees.