As Ars points out, this could be someone being deeply incompetent and leaving the traceable IP address. Or it could be a calling card, the NSA letting Tor network users know that it is in the room, maybe meant to scare them off the privacy services entirely.
The malware itself collected geolocation data for individual users, instead of the typical username/password combo most malware goes for. That's one reason why everyone figured it was the FBI at first. The NSA being behind the curtain, though, doesn't mean the FBI won't get its hands on the data, though. The NSA admitted late last month that the agency shares its information with other organisations, like the DEA or FBI, for individual cases involving matters like drugs and child pornography.
So, that's where we stand. The NSA seems to be peeking its head into the deep internet, and it's bringing its friends, too. [Ars Technica]
Image via Shutterstock