Who is responsible for hacking the site if the customer did not transfer it from the test hosting?

I would reformulate the question:
1. You did not transfer a copy (archive of the finished site) of the work performed to the Customer - your fault.
2. You do not have a copy of the work done to restore the site - your fault.
3. You did not follow and warn the Customer about the possible consequences of continuing to use the test hosting - your fault.
4. You did not stop the work on the test hosting you paid for after receiving money for the work from the Customer - your fault.
5. You have not taken organizational measures to prevent a “point of no return” in case of hacking, failure of storage media, access policies (including password complexity, access from certain IP addresses, etc.), programmer errors and omissions when encoding a block verification of data coming from the user - your fault.
----------
From now on, keep an eye on these points.
And at this stage - help restore work and figure out how exactly the site was hacked and fix the vulnerability. This work should be FREE for the Customer in this current situation.

Logically, the customer owes one way or another for hosting. (If, of course, he knew about the need to transfer, otherwise it’s not at all clear why you hosted some project. Did it - gave it away.)
The cracker (your cap) is responsible for hacking. Maintainability is the responsibility of the maintainer.
PS: If there were no agreements, then it is not at all clear how you want to negotiate (which ones, by the way, were there at all? Where and how are they fixed?) I
will leave the question of restoration work open.

In general, this is your jamb. The customer may not even know the difference between test hosting and combat hosting.
Basically, you haven't done the job. Posting a site on a test hosting with passwords like admin+password is just for viewing and testing. Where is the next step?

Your hosting, and even this site you made which was hacked.
Backups of your site on your hosting.
Who is to blame here? Finished customer! ))

Your mistake was that there were no clear agreements on the support of the site.
But if there was no agreement between you and the customer to support the site (regular backups, settings), then naturally you do not bear any responsibility, and it was the fault of the customer. Unfortunately, many customers do not even suspect that this needs to be done. So right now you need to agree on who is responsible for what. You can take these arguments that the contract was to create a site and give it to the customer, and not maintain it.

If you did not agree on this, then no one is responsible. In general, for 8 months. could be agreed. A little nuisance, a lesson for the future

Has the customer been given access to hosting management?

I mean, I had to transfer it myself, and not he get access to the hosting or transfer it myself

well, if you developed a site and your hosting, then the jamb is also yours, or you left holes in the code or there are holes in your hosting.

The correct answer is "close the test site from public access X days after the show". You can close it completely, you can hide it behind authorization.
Now the customer owes you for 8 months of hosting, but not for restoration. And it’s better not to lose face and transfer it to its hosting now and don’t demand money.

Of course, you. Why host someone else's site without having backups.
Moreover, you charge for hosting, which means you are responsible for the safety of data.