I run a public API that returns results in, among other formats, JSONP.
Some phishing websites started using it some years ago, and ever since I noticed them, I've been really tempted to hijack their victims JSONP calls and redirect them to an anti-fraud website or provide some similar warnings.
Obviously, this could backfire on me and hurt my reputation.
Should I forget about this, and just keep doing what I've been doing; reporting them to their hosting providers?