Comment by immibis
The attack Germany is thought to have actually used was to flood the network with middle nodes and wait until the victim connects to their middle node. Then, it knows the guard node's IP. Then, it went to an ISP and got logs for everyone who connected to that IP.
technicly this is the only comment in this chain that is relevant to the featured article, but it's technicly so incomplete that it's almost wrong, I can tell from having read the thread and knowing next to nothing else about how TOR works.
They don't have plausible evidence to subpoena the guard node if a middle node only sees encrypted traffic. They would also need to control the exit nodes which communicate with the target's host or they simply control the host as a honeypot.