When I was 14-16, I used to host forums for different online gaming communities that attracted DDoS. A few times I managed to get myself inside of the C&C, but I was almost always already in contact with the hosting provider by that point and basically was able to get them to shut it down immediately once I had proof of what it was. I was always scared something like what you described would happen, because very frequently the attacks were larger than DDoS attacks described in world news. I guess the people attacking my servers didn't use their botnet for anything more criminal than harassment and generating ad revenue.