in this case however both sites I "took down" were still accessible afterwards, they just removed their backend. Still got an empty response or 404 with valid http certificate.

So probably the phishers were annoyed with the fake data and moved servers