It’s not entirely uncommon for the latter to happen. Some greyhats have done similar things to clear out botnets in the past. It still counts as unauthorized access to a system though so most avoid doing so even if the intended result is beneficial