Regardless, I can't see how anyone could fathom prosecuting thousands (if not millions?) of participants in a DDOS attack and actually being successful.
It would be much more effective to go after the facilitator who made it possible, in this case the developer. Both efficient and punative messaging-wise