Don’t you need to be inside the network to use the admin macaroon? Unless it was all open to the public

Sorry I'm actively trying to get to the bottom of this. My entire system is behind a vpc only accessible with my hardware vpn. I can't even access the network unless I'm connected to the hardware VPN (SonicWall). Here's what I've managed to put together so far. Still looking for how they were able to get access to my lnd instance. The attacker: Had access to the admin macaroon (from the Cashu mint Docker image or K8s) Swept on-chain funds first (02:52-02:53) Probed BTCPay unsuccessfully (03:14-03:29) Closed channels cooperatively (03:34-03:38) Continued sweeping over 2 days