OK, now I understand your question.
It is not possible for users to add a transaction manually via the plugin. I am not aware of any security vulnerabilities in the plugin that would allow this. If you find any, please let me know.
WordPress is not very secure by default, because it’s a popular platform, and because of plugins of varying quality. You need to work hard to make it secure. Keep updates, only install a small set of reputable plugins, harden the security in other ways, etc.
If a hacker has managed to gain admin access, they can manipulate the database freely. This is why, as I have already mentioned, you must save the access logs immediately after the breach, before they are tampered with. A security analyst can check the logs (web logs and database logs) to see when someone might have inserted a row and from which IP.
As a precaution, because there is no such thing as a secure system, you must always keep a large percent of the user balances in cold storage. This way, in case of a breach, not all funds are stolen. Since even large exchanges with dedicated security teams get hacked routinely, you cannot expect your WordPress installation to be 100% secure. You must take additional precautions. I have added disclaimers about this in the plugin.
If the hacker was not very smart and did not use a relay, then you can use the time and IP you get from the logs to go to the police. I am not an expert in how this works, but this is the general idea.
Hope this helps. Best of luck.
with regards