About a hacker trying to crash the server; all the establish-connection related stuff IS in a separate thread (should have probably said that xD), after the client/server handshake with a sequence of bytes then both the client/server go into "gameplay" mode, changing from the "login" mode (the server adds the client to the list of clients for the client to be iterated though on the main thread), the game state also changes on the client side and the client can now play. After that I don't think there are any game related messages that can actually freeze the server. The hacker could surely freeze the thread in the separate "establish-connection" thread, but that'd be pointless lol (but they could also create a infinite amount of pointless threads by doing this, I actually thought of this and will probably implement a timeout value so the hacked client just gets dropped, liked you said).
Haha yeah I know xD
That is not necessarily the right thing to do. Async development needs more careful design and planning than that.