> What percentage of exit nodes are run by spy agencies and other snoops? Does anyone really know?
Most of them. The cost to operate top-bandwidth nodes are estimated at least five figures per month. Thankfully the Tor design spec explicitely calls out government panopticons as being squarely outside the threat model. So, adjust your infosec policy accordingly.
I run one of the bigger Tor relay families [0] with around 3.5% of the exit bandwidth [1]. Hosting high bw stuff is actually pretty cheap if you stay away from the cloud. I don't pay five figures per month for all these relays it's less than 1k$.
For the actual question there was a big attacker uncovered in 2021 [2] and removed from the network. I'm pretty sure there are still malicious relays on the network the hard part is to know which.
Ups forgot that that there is this one relay that I don't run that is also called bauruine. I've updated the link to MyFamily. nusenu shows the authenticated domain which is tuxli.org for my relays.