Cracked steam games can bypass secure servers and VAC protected servers. I have done this (sadly to say I used to pirate games). It is an exploit that has yet to be fixed officially by Valve or keeps changing everytime it does managed to be patched.
Again, UDP flood attack is just spamming packets of data until the user is flooded and crashes. Normally the UDP flood originates from a single IP address (UDP floods from multiple IP addresses takes too long and not really the type for a hacker to use on a video game).
Now that you have blocked his region and he is gone that is good. However, you really should look into preparing yourself for another kid who wants to try this on your server. This kind of thing happens more often than you think.
Install this into your server to keep a log of every single players Name, Steam ID, and IP address. This will help if another shows up so you can deal with them quicker.
Let me clear this up, the hacker does need to join the server ONCE to get the IP addresses, but does not need to stay in the server to attack the IP addresses. He can join, leave, and attack any since he saved those IPs for later use. So just because he is gone from your server, technically, if your friends still have the same IP address, he can still flood them.
My suggestion for you and your friends is get a free firewall program (Outpost Firewall Free Edition does a decent job at preventing floods) Find a good firewall, your flooding won't be a problem because once the spam has occurred the IP is blocked and any packets that are spammed are rejected.
As for not having proof. Emailing his ISP about him is good enough or have your friends email him too. Be sure to specifically say the date, time, and the exact IP address of the attacker. From there they can just look up his history from the date and time you mentioned and find out what he has been doing and send him a letter warning him (if he does it more than once he can have his service disconnected from his house)
__________________