That assumes you could run thousands of malicious tor nodes for several years without being detected. Unless you have vast resources and time, this is unlikely.
My point is that it doesn't require "vast resources". A VPS is $5 a month. A thousand of them would be in the disposable income budget of a single FAANG engineer never mind a nation state.
Pay people on Fiverr to set them up for you at different ISPs so that all the setup information is different. You can use crypto to pay if you want anonimity (this is actually the main reason I used to use bitcoin - I'd pay ISPs in Iceland to run TOR exit nodes for me without linking them to my identity).
This isn't a difficult problem. A single individual with a good job could do it.
And sure, each connection only has a very small chance of being found, but aggregate it over a year or two and you could catch half of the users of a site if they connected with a new circuit one time per day.
I honestly can't see why a nation state or two hasn't already done this.
What detection? A malicious node is only different from a non-malicious node because all the traffic is being logged. If that's our definition of a malicious node in this case then there is no way to detect one.
