http://freehaven.net/anonbib/cache/hs-attack06.pdf The bottom line is: Hidden services create new circuits every single time a client asks them to. If the client is malicious, this could be ten times in one minute. Clients use roughly one circuit every ten minutes. Essentially this hidden service design allows an attacker to 'artificially' speed up the rate at which a hidden service instance of Tor will use one of their malicious Tor relays to relay traffic for their malicious client. Conversely, a hidden service cannot so easily force a client to open circuit after circuit nonstop. This makes hidden services much easier to trace to their entry guards, and once you have identified the entry guards you are only one hop from the target.