[nixos]

So they shut down a node, the node operator notices and restarts it.

The problem is that people actually make money from malware. It's not bored college kids showing off skills. It's pros.

So think like a pro. You use a zero day to hack into Verizon to feed malware, get noticed, and your hack gets reversed after an hour.

You open an exit Tor node on a VPS, use it to feed malware, profit. They close it, you re-open it on another host. They play wack-a-mole, and you rake it in.

[tedks]

The thing is that it takes a significant amount of time and bandwidth to get flagged as an exit and included on circuits. So your set of hosts is going to be pretty limited to start; most hosts are pretty hostile to Tor exits as it is, and are going to shut down an exit hosted in their IP space because they don't want to deal with the abuse complaints. In contrast, the exit scanner can be part of the first users of an exit node. You could try to detect the scanner, but the nature of Tor is that this isn't feasible.

In any case, you can solve the problem of distributing software over Tor by setting up a hidden service. The Tor devs have been making noise for a while about creating an "onion service" that isn't hidden, but has the same guarantees as a hidden service (an improved version of exit enclaving).