In this case, the main question is how the server was discovered, not how the operator was then deanonymized. As the article describes, after the server was discovered to be in France and run by OVH, authorities used legal treaties ("MLATs") to obtain the subscriber information, leading them to the person that recently plead guilty in court.
This seems incredibly naive. Who would register a VPS hosting different kinds of the most illegal content imaginable using their real name or IP address? Even if they thought hidden services were impenetrable, there are always other possible slip-ups you could make which could disclose the server's real IP, and of course they'd be ignorant to think any security measure is impenetrable, including Tor.
DPR made extremely careless mistakes, too, to the point that even a random amateur investigator could've identified him, using only Google.
It's shocking how many of these people aren't caught sooner when they don't even know OPSEC 101.
Sure, but even if you assumed Tor was perfectly secure, there are still other ways of being exposed (like someone causing your web server to issue a network request to a host they control).
No matter one's assumptions, it makes no sense to me that someone would register a VPS with their own information when it's pretty trivial to do so anonymously. Especially if you're running an illegal content hosting empire.
DPR's mistakes at least made sense to me; they're something anyone could have overlooked, even if they were still very naive mistakes. But I doubt DPR used his personal information when paying for servers. That's well beyond "unrealized mistake" into pure incomprehensibility.
They supposedly caught on to him by connecting an email address associated with DPR to his real-world identity. Wouldn't surprise me if that was an ex post facto lie concocted to conceal the true method, though.
