Does anyone know which attacks were carried out via relays running on cloud platforms?
The Lizard Squad thing from last year was substantially Google Cloud (GAE/GCE), if I recall correctly (there's a list from consensus-health here[0]). Lots of research takes place on EC2, but it doesn't seem to be a sybil-magnet - after all, there are cheaper providers who will ask fewer questions (e.g., OVH, which has a much bigger consensus fraction).
[0] https://lists.torproject.org/pipermail/tor-consensus-health/2014-December/00...