web application – Are high traffic apps and websites used in DDoS attacks?

Isn’t it very simple for one rogue programmer in a big institution to add a small code change in the application/website thereby sending unintended HTTP DDoS attacks? Like is it possible for Tiktok/Facebook to do this?

Like, every time I slide the screen, a POST/GET request goes to some target website/application that will be overwhelmed by the traffic? Are pirate sites a part of this?