It looks like the company involved is based in the U.K. and also seems likely this software and their usage of it is a violation of the Computer Misuse Act.
One of their competitors should consider filing a complaint with the relevant authorities, so this gets formally investigated.
Yes, absolutely. The responses so far have been too tepid; DDOSing competitors, adding a database-dropping kill switch, disabling other software, and adding an admin login backdoor are all separate criminal offenses. The developer responsible should not just be blacklisted, he should be in prison.
I would be interested to hear from CloudFlare as to whether there is any possibility of confirming that the URL "https://pipdigz.co.uk/p3/id39dqm3c0_license_h.txt" - fetched by the "license check" code - did at some point return the text "https://kotrynabassdesign.com/wp-admin/admin-ajax.php". I suspect this will be difficult, or impossible, to verify (I'm not a security expert) and the "license check" code in and of itself (while extremely fishy) only betrays the potential of a DDoS and is not a smoking gun.
Hopefully not. Cloudflare has no business in law enforcement or legal investigations. If they are trustworthy, this will not know about the contents of sites in the past.
One of their competitors should consider filing a complaint with the relevant authorities, so this gets formally investigated.