Last I heard, there was basically one guy handling all reports of malicious exit nodes, and I couldn't even get him to do anything about the ones very obviously intercepting traffic to Bitcoin wallets and injecting code that stole people's money
This has been done in the past: researchers visited a uniquely generated URL from Tor and then recorded which Exit Nodes visited it again. You can find their work if you google it..
"Chloe" visited unique web pages for a month last year, and also used unique credentials to log into a custom honeypot. Of the over 137,000 exit nodes tested, 15 attempted to use the credentials, 650 visited the unique websites.
Less than half of a percent, but definitely happening regularly enough to be an issue.
Not really you can always mirror the wan/uplink port and do the capture on another box so even some time based / performance analysis won't show anything.
Port mirroring means you can only be a passive eavesdropper. Attacks like SSL mitm wouldn't work because you actually have to intercept and modify the traffic
SSL MITM still won't work unless you want it to be very noticeable or you have very substantial resources.
Port mirroring is enough to capture SSL traffic and to break weak SSL keys or if you have compromised the key of the destination services (w/ some caveats like no forward secrecy etc.)
And it doesn't prevents you from executing MITM attacks from upstream or just doing specific MITM attacks from within the TOR exit node later on.
But overall there is nothing you can do to ensure that your TOR exit node, your VPN gateway or even your ISP isn't reading your traffic other than to use encrypted tunnels everywhere and even then you are for the most part only moving the problem upstream.