There are signs that it might be law enforcement. Analysis of the code suggests that some of the exploit code is "almost" exactly like what the FBI used in a 2013 bust that exposed child pornography users. Whether or not the FBI is wielding a hacking tool again isn't certain, though. While that makes sense, it could be the work of another law enforcement agency (including one beyond the US) or a private outfit.

The Tor Project team has patched the flaw, so it won't be usable again. However, the code for the attack was public for many hours before a fix arrived. There's a possibility that someone else used the vulnerability in that time frame, and they might not have had a noble goal like catching sex offenders. Intruders could have used the exploit to unmask political dissidents or otherwise cause chaos for innocent Dark Web users. One thing's for sure: if law enforcement did launch the GiftBox attack, it's having little trouble keeping up with Tor's developers.