Comparisons of events like this to violent crime often seem inaccurate.

A better comparison is removing 10 people's lunch money from their school lockers, maybe due to a careless sequential scheme of creating combinations, and giving the money back. And doing this before talking to the principal or any teacher.

Either way, he still should have contacted them before.

A better analogy is "I found a dollar on the ground". I'm not sure that is really a crime!

> Theft is defined as the physical removal of an object that is capable of being stolen without the consent of the owner and with the intention of depriving the owner of it permanently.

This is a really bad comparison. He didn't deny anyone access to anything or take anything at all. The real-world equivalent would be if he found a bunch of empty community/neighborhood whiteboards and drew a (trivially erased) line on them. The signs weren't there for him to use but they were empty (he didn't erase them) and the change he made was absolutely minimal.

He just configured a bunch of deleted/unconfigured domains to point them to a blank web page running on his own server. The point is that he could have done all sorts of nefarious things with that redirection but he didn't. He made a harmless change to demonstrate the vulnerability. That's what white hats do. It's what they're supposed to do. We should thank him for his efforts not lambaste him for actually doing something about the problem.

It's not very re-assuring for users of DigitalOcean to know that issues like this can put our domains at risk to "idiots". I don't care whether the guy was malicious or a nice guy or what. I care that a system I may be trusting my domain name to is trivially exploitable like this.

He didn't steal anything at all.

All of those domain owners are free to change their nameservers at any time.