In a year, Tor has turned from a celebrated global anonymity service into a full-scale privacy battleground, under attack from suspicious Feds, abused by criminals while last week we learned that even the Russian Government hates it.
The latest sign of trouble revealed by a Tor's overseers in a blog on Wednesday is news of a sophisticated and possibly successful attempt to unmask the identity of people using the service that they have laid at the door of "irresponsible" researchers connected to the US Government.
In a post on the Project's website, Tor's techies attempt an explanation of what they think happened after a clutch of rogue relays - now disconnected - joined the service on 30 January 2014, and who might have been behind it.
Their best guess is that the attackers were somehow connected to a presentation by Alexander Volynkin and Michael McCord that was due to have been given at the forthcoming Black Hat security conference by two researchers from Carnegie Mellon's Software Engineer Institute (SEI) that was cancelled without explanation earlier this month.
Why the presentation was nixed is not clear but Black Hat's organisers were reportedly told that it had not been approved by Carnegie Mellon University. At that time, Tor said it was aware of weaknesses exploited during the research.
Tor said it still couldn't be absolutely sure who was behind the attack so the CMU connection remains a hunch and not a fact, we shoud make clear.
"We spent several months trying to extract information from the researchers who were going to give the Black Hat talk, and eventually we did get some hints from them about how 'relay early' cells could be used for traffic confirmation attacks, which is how we started looking for the attacks in the wild," said Tor's organisers in the blog on the topic.
"They haven't answered our emails lately, so we don't know for sure  in fact, we hope they *were* the ones doing the attacks, since otherwise it means somebody else was."
In other words, the type of compromise being worked on bears some resemblance to that which was detected by Tor. It's far from conclusive.
The bad news is that Tor isn't even sure exactly what might have been compromised by the attack, simply that it happened between 30 January and the moment it was stopped on 4 July, a potential window of several months.
The Project's explanation is fairly technical but involves two types of incursion; a 'traffic confirmation attack' and a 'Sybil' attack.
The "neat" confirmation attack is most simply described as an attempt to add rogue relays to Tor in order to use them to work out which user IP addresses are using the service. According to Tor, this can't be used to detect which sites were visited or the content of those sites. But because the rogues operated for several months, anyone who used Tor during this time could in theory have been unmasked.
Sign up for CIO Asia eNewsletters.