I believe that vendors should hide their Tor use. It isn't a crime, but it could be used to identify them. LE orders a package and gets the vendor's city. I calculated the average density of Tor users in the United States, based on my estimate that there are 250,000 monthly Tor users in the US (the global numbers vary too much by country to be useful). That's about 80 in a city of 100,000, and 800 in a city of 1 million. Actually, the number of daily connecting users is 80,000, and some of them are different people on subsequent days, so the number of people who connect every day like a typical vendor is probably more like 60,000. That's 20 people in a city of 100K, and 200 people in a city of 1M. LE works with the local ISP to identify these users by watching for connections to entry guards, a list of about 1200 IP addresses. From there they correlate the people connected to entry guards with the vendor's online activity. They could send messages to the vendor and look at the response times, and if the vendor posts on this forum, look at the post times. Anyone not connected to the Tor network at the time of a vendor activity is not the vendor (or so they assume). They could exclude most of those Tor users in a short period of time, probably a couple of weeks. They wouldn't be able to exclude everyone, because some people are always connected, but if they have a list of 5 to 10 people, and the vendor is pushing a lot of weight, it could be worth investigating all of them through traditional means to find the vendor.