They could do the same by using the access keys directly - using this service is strictly better since it would identify the attacker by their Stripe payment method.
Yea, agreed.. they definitely could assuming someone does something stupid and exposes keys with access to everything. But this removes the barrier of needing to have a tiny bit of technical knowledge to do it. I think pastebin post with the cloudnuke url, keys, and a stolen credit card would look pretty appetizing for bored people. I'm not saying this shouldn't exist exactly.. maybe some kind of additional identity verification would make it less scary tho.
The same pastebin could exist today by simply providing a script alongside the access keys, I don't see how this paid-for service changes anything aside adding an extra hurdle.