It is totally possible to get a hidden services IP address by hacking into it, or by it leaking its real IP address if it is misconfigured. One Tor hidden service had a forum with registration that sent confirmation E-mails directly without using Tor, as an example of a misconfiguration leading to deanonymization. Several CP hidden services were hacked into by the Dutch police, leading to several people being arrested actually (apparently they were hosting the servers out of their houses !!). The servers they hacked into but couldn't deanonymize were using virtual machine based isolation, and they resorted to just zeroing them out and posting warnings, as they couldn't break the isolation. I would really hope that a site like SR is running its web server in a virtual machine that isn't aware of its external IP address, anything less than that would be somewhat foolish really given the high priority of SR. Even in such circumstances it is possible to deanonymize the hidden service by hacking out of the virtual machine, but it becomes substantially more difficult. Using a virtual machine to isolate the web server not only virtually ensures against misconfigured servers leaking the IP address, but also makes it substantially more difficult for hackers to find its real IP address, and for this reason it is very strongly suggested to run hidden services in this way. The server may also leak its real IP address via a php info page, that is the first thought that comes to mind after reading this guys post, but a quick check doesn't reveal such a page at its default location anyway. If it is true, my first guess would be that SR temporarily had a phpinfo page up and it displayed its real IP address. Also to the people saying SR server changes its IP address at the rate of a bazillion or whatever the fuck times per second, you clearly don't understand how Tor works. Yes, hidden services will appear to have a different IP address to (mostly) each person that accesses them, sort of, if you count their final node as their IP address. But they still have a real IP address as well, and it is actually possible to trace hidden services through Tor with a bit of work (having law enforcement credentials makes the last step much more feasible though). edit: Actually, given that he said he got its IP address when it went down for maintenance, there are two other scenarios I can imagine. If SR runs as a Tor relay it would be vulnerable to downtime-uptime correlation of the Tor relay and the hidden service, which could deanonymize it (or at least give someone a good guess of its real IP address, which could then be further confirmed with various known remote attacks on Tor). Also it is possible that they hosted with a company that had known down time correlating with the down time of this specific website, in which case the attacker could at least significantly narrow in on where it is being hosted, although they would need to take additional measures in order to get a specific IP address. Anonymity and security are hard, complex, complicated and highly specialized fields , and to think that just running as a hidden service magically makes you completely invulnerable is extraordinarily naive.