Actually it’s quite common for people to tinker with malware. Shall I start listing names? Britec, RogueAmp, Dannoct1. Removal Experts. All kinds of people. At least he did it the smart way in a VM where it’d be difficult to infect the host machine