Surprised to see a Wooyun article translated and posted to HN. In case anyone is wondering, wooyun is a Chinese security online community like Full-Disclosure, it features a CVE like vulnerability tracking system. You can find literally thousands of Chinese software/hardware/online exploits.
The title for this is confusing, they are talking about detecting and attacking regular Tor connections not internal hidden services (like a DarkMarket). That illustration showing not encrypted is the exit node to a regular clearnet site.
The methods for attacking hidden services (DNM) are the same as any other site such as exploiting misconfiguration, exploiting unpatched software or finding new ones, and looking for pieces of opsec like the Czech guy who's darkmarket used some obscure Czech php framework which was identified by viewing the CSS. Every so often a research paper comes out too that identifies some new scheme of analysis of guard nodes/pattern matching/fingerprinting ect to identify hidden service IPs as noted in this Wooyun article. https://news.mit.edu/2015/tor-vulnerability-0729
No it isn't accurate for hidden services. See https://www.torproject.org/docs/hidden-services.html.en - hidden service communication some some level of encryption end to end (whether that is sufficient or requiring another layer - say TLS - is a matter of usecase and threat model).
