Recently whilst working a phishing report I came across a page put on a site by a vigilante. See attached screenshot.
They had, as they said, altered the site. They had altered the phish files.
They had put their own hacker tool on the site.
All these alterations leave traces.
When the site owner or the host or Law Enforcement or I come to look at the files and the logs, we are unable to distinguish which alterations were made by the criminals from those made by the vigilante.
We do not know if the vigilante reported the original data in the hacker files to Law Enforcement for follow up.
In other words, for our purposes the evidence is destroyed.
In this case the vigilante had not even found all the phish on the site.
But even the evidence in those other phish is now tainted.
Thanks for wasting my time.
I was very,very angry when I came across that page after half an hour.
Sometimes it takes me 4 hours to analyse a site.
Imagine how I would feel if I came across that page at the end of that process.

Don't do this.

moron.gif
Description:		Download
Filename:	moron.gif
Filesize:	8.32 KB
Downloaded:	68 Time(s)

Where did it link for an explanation of phishing?

Wikipedia

Couldn't it have been the site owner that replaced the phish with that warning?

The phish wasn't replaced, just altered to send false data.
That warning showed after the victim had submitted their data.
The site owner would have no reason to leave the copyright-infringing pages in place, they would put the warning as the first page the victim would see.
And as I said, I found the vigilante's (distinctive) hacker tool.
Interestingly, the site went down 'bandwidth exceeded'.