[WarOnPrivacy]

> My guess is that a certain router is getting infected with a botnet because ISPs usually hand out the same router to their customers.

This seems trivial to figure out with an analysis of the connecting IPs - which is absent on TOR's report page.

I'm also a bit confused why no one here on HN has asked about the connecting IP data (at this writing). Are these commercial IPs, dynamic (biz/residential) IPs or a mix? If they're mostly dynamic IPs, are they from more than one ISP?

TOR has country of origin data so it seems reasonable they'd also have network of origin.

All that said, I don't precisely know how TOR determines country of origin. Entry node data would seem to be the likely source. However I've long assumed that entry nodes are public supplied, like Relay and Exit nodes. Within that assumption it isn't clear to me how that data would flow to TOR - while maintaining anonymization of traffic.