EDIT: I'm getting downvoted. I think people have gone to prison for a lot less than this, at least in the US, please be careful and playfulness is not a legal defense
I wonder if it makes a difference that Ikea called them?
If you call someone and yell at them to go fuck themselves, there's a pretty good case for that being harassment. But if someone calls you and you tell them to go fuck themselves, well, that's a different story.
Similarly, people who initiate dodgy requests to web servers are clearly up to no good.
But if you're a web admin and happen to host a zip bomb at `/wp-admin`, only serving it out to people who specifically ask to be sent whatever happens to reside there - even though you've never advertised that URL's existence - is it really your fault if they can't handle the resource they contacted you and asked for?
Let's say someone is using a buggy version of curl. Is it legally okay to set up a web server that exploits the vulnerability when someone tries to fetch from you?