It certainly is a head scratcher. It seems inconceivable that someone would get 2 of 4 keys, but like you said, there must have been a breakdown in the process somewhere.
The process of tracking coins is one thing and recovering them is another thing, you need to be lucky to succeed in tracking those coins and then recover them because the only way to recover them is to deposit those coins in central platforms or a third party that can be controlled.
2 out of 4 will make a bug in your security model because if the scammer's access to any two of the four keys means that you will lose your money.
3 out of 5 would be a good choice, or more.
Now you have to move all the coins to another place, check all the things that led to the hack and then think about how to recover those coins