Email to tor-talk@ [0] made me wonder if (some of) these are run by the same people that have been trying to hijack Bitcoin transactions. In the first step, they could enumerate services by crawling them

That would be useful to get an early start in the spamming / seeding publication below.

and setting up an impersonation site that has substituted Bitcoin addresses on it.

There's no need to 'mirror' or 'clone' or 'set up a site', the good ones are just transparent cleartext proxies, one onion in front of another. They can be timed, but don't fall to the dynamic content and update differences that mirrors do. Regardless, the last step is publication of the proxy. This is done in wholesale on onionland services such as forums and the now tens of wannabe 'hidden wikis', many of which are run by the same actors, obviously adding to the attack surface. Users surf them, they and the links looks legit, they get bookmarked and that's that till they somehow find out. It's been going on that way for years. All onionland services should be considered suspect, even email, syndication and storage.

Finally, they are running malicious exists that rewrite onion domains to their own impersonation sites.

Exit rewriting is an easy way to skim another fraction of users without needing to play with forums and wikis. As interesting as why, is that there are so many. Those willing to immerse themselves in the corners of onionland would probably find some insight, at least for that which comes from there. Topside ventures that reach down into onions would be different story. Databasing, crime, anti-crime, covert stuff, games, research, hacking, and even the overriding majority of everyday legitimate use by users around the globe.... The story and scaling over time of all these aspects is becoming quite interesting.

[0] <https://lists.torproject.org/pipermail/tor-talk/2016-January/040038.html>