Brutal. If Umbrel was on clearnet, assume full compromise: isolate the box, rotate LND macaroons and TLS, sweep any residual on chain to fresh descriptors, and rebuild clean. For the relaunch, at Masters of The Lair we favor Tor only, RPC bound to localhost, admin behind WireGuard, default deny firewall, alerts and daily caps on swap volume, and a tiny hot wallet with policy guardrails. Any IOCs or which creds were taken you can share to help others?