I think it's more likely that they used something targeting the browsers, maybe with 0-days maybe not.
But it doesn't seem to me that the FBI put much effort into this whole thing, maybe it was more a concern for Facebook than for them.
As I understand it knowing that someone is using Tor is usually trivial, the exit nodes normally set a reverse DNS record that signals it and there are exit nodes blacklists
> As I understand it knowing that someone is using Tor is usually trivial
Yeah, Facebook almost certainly receives a lot of attempted traffic from those relatively few TOR exit node IPs, so I'm sure part of their system is aware that they are effectively proxy IPs.
But it doesn't seem to me that the FBI put much effort into this whole thing, maybe it was more a concern for Facebook than for them.
As I understand it knowing that someone is using Tor is usually trivial, the exit nodes normally set a reverse DNS record that signals it and there are exit nodes blacklists