https://www.malwarebytes.com/blog/news/2021/12/was-threat-actor-kax17-de-anonymizing-the-tor-network

Given the number of servers run by KAX17 the calculated probability of a Tor user connecting to the Tor network through one of KAX17’s servers was 16%, there was a 35% chance they would pass through one of its middle relays, and up to 5% chance to exit through one.

This would give the threat actor ample opportunity to perform a Sybil attack. A Sybil attack is a type of attack on a computer network service where an attacker subverts the service’s reputation system by creating a large number of pseudonymous identities and uses them to gain a disproportionately large influence. This could lead to the deanonymization of Tor users and/or onion services.

Given the cost and effort put into this and the fact that actors performing attacks in non-exit positions are considered more advanced adversaries because these attacks require a higher sophistication level and are less trivial to pull off, it is highly likely this is the work of a high-level (state-sponsored?) threat actor. As for who is behind this group, neither Nusenu nor the Tor Project wanted to speculate.

A spokesperson for the Tor Project confirmed Nusenu’s latest findings and said it had also removed a batch of KAX17 malicious relays.

“Once we got contacted, we looked through all the relays in the network and identified several hundred relays that are very likely belonging to the same group and removed them on November 8.”

VPN’s also by definition still use the same corporate pipes as anything else.