Correlating IP address use to something else happening at the same time? Like a malware author being incredibly dumb and using their home IP to upload PyPy packages, while IDK, using that same IP as a C&C server endpoint.
They may not even need to have slipped up and direct-connected via their home IP. The FBI has sufficiently compromised subsets of Tor in the past to do correlative attacks on specific targets.
