I think the article answers its own question the paragraph previous:
> While some bots continue to operate using the standard HTTP connectivity, some versions of the malware use a peer-to-peer network to communicate (KAD based).
Tor and Kademlia are both rather complex systems. To use one or the other, but not both, in different versions of your botnet, would suggest to me that this is a botnet creator split-testing the effectiveness and scalability of different command-and-control technologies.
With that said, I accept that this is much less likely explanation than just some Russian group just using it to facilitate their usual crime.
If this botnet actually relies upon Tor for its primary means of C&C, and the botherders are in fact motivated by ordinary financial crime, then it would seem to be the largest botnet that would be least likely to try to shut down Tor.
The most dangerous scenario for Tor is if this botnet continues to grow exponentially, its operators command it to go into an uncontrolled DDoS mode, or some other glitch in its software causes Tor to fall over. The C&C hidden service would become unreachable, the operators could lose control of their botnet, and it could end up essentially stuck in a perma-DoS mode upon itself and Tor.
Tor anonymity relies on the fact it is difficult to tie in where you entered the system, and where you exited the system. If someone where to control a large amount of nodes, they could (in theory) tie a large amount identities together. But this requires a large amount of entry and exit nodes.
You're thinking of the 50% attack where you have half the hashing power, not half the bitcoins.
