And also even if the feature was removed -- whats to stop that admin from coding it back in?
This is what I was saying that he could just update the user password in the CP, it's a non-salted hash, so it'd be easy for any novice to update.
Of course I don't wan't to stay, but you should be worried that your software is being used in a massive fraud, involving hundreds of thousands of pounds.
If this is a legal issue it should be brought up with the law in the established country; we are in no way lawyers or police, we simply modify and add to a codebase.