[nobodysfool]

Well, that's the thing - they are not providing packet traces even though they were doing a forensic investigation, putting their methodology into doubt. Also, there are no logs indicating that they were successful in what they were trying to do. Even if they were successful, they said that "headers of some of the packets"..." as the source" contained the ip of the server. If it was coming from the TOR network, that would not be the case. Furthermore, since HTTP is a request and response protocol, a request would first have to have been made to the host. A reply would not come without first making the request. That being said, supposedly it was the captcha box. However, that server was only setup to reply to 127.0.0.1 and the backend server. There's no way they would have gotten access to it from the regular web without going through tor, by the methods they describe. You can see the last date the files were modified, and since the "investigator" told what time they accessed the server, we can see that the server was configured not to allow access except through tor. Since he had made a log of ip leaks, I'm pretty sure the guy was on top of security issues, as this is not something he'd overlook.