The real moral of the story is that Tor doesn't protect from traffic confirmation attacks. If the feds can see traffic at two points on the Tor network, they can determine that it is part of the same flow. They didn't just see that he was using Tor, they confirmed that he was their suspect (which they already had a pretty good idea of, but nothing hard). They did a timing attack to demonstrate that the person they were monitoring with the trap and trace was the person in the IRC. Because they could see him send data and they could also see it arrive at the end point (since he was talking to an informant). The real fuck up on his part was apparently in leaking enough information that the feds could consider him a suspect. If the feds had controlled his entry guard (due to some dragnet signals intelligence operation that they probably have going) they would have been able to determine his identity, in this case they already thought they had their guy and they confirmed his identity. So apparently none of these guys were using FBI pwnt entry guards for the entire duration of their lulz. This is valuble intelligence as we can actually look at how long they were operating for and determine the number of entry guards they would have used, and show that apparently none of them were owned by FBI. meh I am too tripping balls to give this the more concise reply it deserves .