100% of traffic coming into or out of Sweden is logged by their signals intelligence agency. It is certainly not wiretapping. The feds could obviously have monitored all traffic coming from and going to the FH server. If they owned your entry guard during the time that they pwned the server, they could deanonymize you without application layer attacks, and if they didn't do this in addition to application layer attacks they are idiots. I wouldn't be surprised if this is how they found the admin in the first place, I do not think it is by chance that they got him shortly after he made a post to FH server and he wasn't using Windows so. They would correlate activity to vendors, there seems to be a misconception that traffic analysis can not be used to tie users of SR to their accounts on SR but this is not the case. I think every deanonymizing attack against Tor requires the attacker to own the targets entry guard, or at least be able to observe traffic between the user and an entry guard (ie: monitor the user from their ISP, or the ISP of the entry guard). Yes and this can allow the attacker to deanonymize all users of the hidden service who use an attacker entry guard, without the attacker needing to actually be able to monitor traffic to the hidden service. And when users are using Tails it makes it take much less time before they use one of your compromised entry guards. This is why I strongly suggest against using Tails unless you also use persistent bridges. I agree in regards to silk road. In regard to the CP sites to the best of my understanding they didn't even attempt to sort people based on what they were doing, but rather went for getting as many people as possible. Since the exploit was afaik delivered from a 'down for maintenance' page, they couldn't tell the people browsing jailbait from the people uploading self produced child rape photographs. Hidden services suck at anonymity.