For me, this is the most interesting question. I suspect this was illegal, though. CFAA is pretty broad for exactly this reason -- the effect and intent, not the vector -- is what matters.
Why would the CFAA[1] apply? I don't think US law is the governing law for everything that happens on the Internet (though they'd probably love that...).
You mean jurisdictionally? E.g. if the hacker was located in the US, or in one of the many, many countries with an extradition agreement since some of those distributed computations almost certainly occurred in the us. Or in one of the many, many countries whose hacking laws are explicitly modeled on cfaa...
[1]: https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act