So, if I'm reading that correctly, they found the Tormail server, seized it and added the JavaScript exploit, which was only live on the site for a few days, between FH / Tormail going down and the operator being arrested. What's really scare is that means they found the hidden service some other way. Even though attacks on Tor exist to identify hidden services, an email server is so complicated that they may have used an application level exploit to find the server. Still, it's worrying.