I imagine it's illegal but I also assume that for it to be prosecutable, there would have to be a complainant. Good luck to that guy trying to prove that DDOS-ing a phishing site is worse than the phishing itself!
It is not unlikely that the phishing site is hosted on a hacked server that still serves legitimate websites (which you would also take down in the process). So there could be a legitimate complainant.
in this case however both sites I "took down" were still accessible afterwards, they just removed their backend. Still got an empty response or 404 with valid http certificate.
So probably the phishers were annoyed with the fake data and moved servers
