Most of the attacks on the Tor network that I've heard about involve surveillance at the edges. You have to run one of your target's entry nodes, and then you can pursue several different attacks. There are more complex attacks, like brute forcing a relay identity key so it is close to the descriptor ID, so you can become a service directory for the hidden service. That's what Donncha did and it allowed him to count the number of descriptor fetches for Silk Road and other hidden services. That's how we know that Silk Road is about 100 times more popular than Atlantis, because it got 100 times as many descriptor fetches in the 24 hours that Donncha counted them. If you run the service directory, you still need to become an entry node for your targets. Tor clients keep entry nodes for a month and semi-randomly select new ones. That's why most of these attacks are statistical in nature. They depend on randomly being selected by the target. They are expensive and time consuming if you have a specific target in mind, like a hidden service, but if your target is "all Silk Road users", it's easy to pwn a small random sample of them, because out of tens of thousands of people, some of them will choose your entry guard very quickly. I don't think LE would be satisfied with simply bringing the site down. For one, DPR almost certainly has backups and could redeploy the site elsewhere within hours. They would want first to identity DPR and other admins, and second to identify top vendors. That seemed to be their MO in the FH attack -- to identify as many people visiting CP sites as possible, but more importantly to identify the admins of those sites and perhaps accounts that posted a lot of content (ie, major CP distributors). Yes, definitely. The Tor developers had said that hidden services are experimental. They are a proof of concept. Nobody is getting paid right now to improve the hidden service protocol and make it robust against attacks. The Tor developers work on things that people pay them to work on. They have sponsors who give them specific deliverables. Mostly they are getting paid to work on things that help people in censored countries. That's why they push for more bridges and they've create the obfsproxy protocol. We need to pool money or find someone with deep pockets to anonymously sponsor hidden service development.