Either way, @LizardMafia's Tor relay attack isn't new. There's a paper on how Tor loses anonymity if over 50% of relays are compromised.
I was going to go with botnet, but many LizardNSA relay IPs appear to route back to Google Cloud. Thousands of tiny VMs at low bandwidth?
You can see this whole list of tor nodes here: https://torstatus.blutmagie.de...
All Lizard nodes resolve to *.bc.googleusercontent.com