correct, an IP alone insufficient to impersonate a Tor node. you would also need key material. (active use of stolen keys to facilitate secondary attacks would be interesting to inventory from leaks...)