These nodes -- ordinary nodes, not exit nodes -- sorted through all the traffic that passed through them, looking for anything bound for a hidden service, which allowed them to discover hidden services that had not been advertised. These nodes then attacked the hidden services by making connections to them and trying common exploits against the server-software running on them, seeking to compromise and take them over.
The researchers used "honeypot" .onion servers to find the spying computers: these honeypots were .onion sites that the researchers set up in their own lab and then connected to repeatedly over the Tor network, thus seeding many Tor nodes with the information of the honions' existence. They didn't advertise the honions' existence in any other way and there was nothing of interest at these sites, and so when the sites logged new connections, the researchers could infer that they were being contacted by a system that had spied on one of their Tor network circuits.
In addition to wrapping messages in multiple layers of encryption (the eponymous technique of Tor, “The Onion Router”), Riffle adds two extra measures meant to baffle would-be attackers.
First, servers switch up the order in which received messages are passed on to the next node, preventing anyone scrutinizing incoming and outgoing traffic from tracking packets using metadata.
Then comes a two-part measure to prevent a malicious server from simply replacing real messages with dummies and tracking a single target one. Messages are sent from the user to all servers, not just one — and outgoing messages must be signed with an independently verifiable mathematical proof that they are the ones the server received. This way, any server tampering with messages will be spotted at once.
LittleSis is a free database of who-knows-who at the heights of business and government. "A unique resource for investigating cronyism, conflicts of interest, and systemic corruption."
Pretty interesting story of how Feedly tracked down a performance problem: What Goes Down Better Come Up a.k.a. Adventures in Hbase Diagnostics
Here's another where Stack Overflow fixed an outage because of a malformed post an regular expressions: Outage Postmortem - July 20, 2016