Does it make sense to contact the Police after hacking three servers of the same provider?

It is clear that the question is quite naive, and maybe even stupid, but this is the first time I have come across such a situation in 12 years of work in the field of development. Just want to make a reservation that I'm not a sis. admin, and most likely my skills in the field of administration of * nix systems may not be enough, but certainly enough to understand basic things.

It started with the fact that from the support of "Provider A" they wrote to me with a comment in the style of "Dear, if you do not stop scanning the entire Internet from your server X, then we will be forced to ban you, since a complaint has been received against you."

Next comes the link and text from the backbone provider of the Netherlands (Provider A has servers there, including mine is located there, along with this they have servers in Moscow), which literally says the following that a fierce port scan 5555 comes from my server. Ok I thought.

Logging into the server using the public key, I find a ton of zmap processes that are just scanning this port in the range 0.0.0.0 - 255.255.255.255, after killing them, I begin to analyze the situation. According to auth.log, it turns out that on September 18, September 26 and September 30 (the day this post was written) there were logins from ip addresses of the form 94.231.132.***, which, judging by a cursory search, belong to the Samara home Internet provider https://telenettv. ru/ .

Further study of the logs showed that they logged in on the first try with a password, login with a password in sshd is enabled, I never logged in with a password, immediately after buying the server I added my public key. I have never told anyone the password from Provider A's personal account, which is stored there in the clear , and I have never thrown it off in any correspondence.

Fail2ban is installed on the server, and password bruteforcing is extremely unlikely + the password length is 12 upper and lower case characters + special characters, which together makes it almost impossible to guess.

Provider A has three servers, on all three servers there are direct logins with passwords from addresses, such as those I gave above. On some servers, apart from logins, there were no actions (judging by .bash_history, which can certainly be cleaned, but judging by the other two servers, this was not done), while on others there were a lot of actions, ranging from installing zmap and modifying the settings file for the scan, and before packaging the sources of my projects and sending them to 0x0.st.

In one of the python files that served to send zmap logs, there is a post request for these very logs to 185.231.155.175:5000/lol.

In this regard, two questions
1) How else, besides reading auth.log, lastb, .bash_history, can one understand user activity?
2) Is it worth writing to the police, it is clear that ip addresses can be proxies / VPNs, but judging by the fact that this is a home Internet provider, there is still hope.

UPD 3) And the most important question is how, in addition to a direct leak of Provider A passwords, a person could log in to the server. I admit that it is possible (which is extremely unlikely) that my applications that run on the server could contain vulnerabilities, but when exploiting vulnerabilities, entries in ssh logs clearly do not appear