...and how did you come to the conclusion they hacked the pi-hole?

Sounds like a poor or reused password.

I got tons of shh login attempts from Russia and China. I just install fail2ban.

Why is your pi-hole exposed to the internet? That's not a great idea. You could have other people using your DNS service also.

It's true it's security through obscurity and won't slow down a spear fisher, but I always change the SSH port to something like 22022 when I have to expose it to the internet and find this eliminates almost all of the portscanning/doorknob rattling. Same thing with wordpress, changing the /wp-admin directory is immensely helpful.

That’s terrible. Did you move on to something else?

Could have been a number of things - most likely culprit I've seen is that it was left exposed to the internet, ssh most likely, and the default password wasn't changed.