But what happens if the actual nodes are taken offline by an old school distributed denial of service attack via a botnet?
Nothing happens because the network does not work by voting or trusting other nodes.
submit false transactions, only leaving his malicious nodes up to verify the transactions?
No. Each node independently verifies transactions, There is no voting or trusting of other nodes or group verification of transactions.
but by that time the malicious actor could have sold all his I’ll gotten coins for us dollars or something.
The exchanges will be running their own nodes. If their nodes are taken down by DDoS, then the attacker’s transactions won’t be received by exchanges in order for the “fake Bitcoin” to be sold. If they are not taken down, then the transactions will be invalid and so the exchanges won’t accept them.
What a DDoS could do is take down enough nodes to partition the network so that some blocks and transactions are not received by all nodes. This could result in a chain split if miners’ nodes are partitioned as well. However this does not allow any coins to be stolen or “fake transactions” to be made. It just causes a lot of trouble and annoyance.