Unnamed attackers were for as long as six months targeting the service in order to deanonymize traffic of those who operate or access Tor services, which are hidden from the wider public Internet.
The relays, which are used to anonymize Tor traffic through a number of hops between entry and exit points of the network, joined in late January, and were removed earlier this month.
It is thought the relays were designed to modify Tor protocol headers in order to conduct "traffic confirmation" attacks.
"While we don't know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected," a Tor security advisory published on Wednesday said.
But, the developers of the service warned it was unclear exactly what "affected" includes.
The project's developers said however that it was unlikely that the attackers were able to see what hidden Tor pages were loaded, or even whether users visited the hidden service they looked up.
But they reiterated that in theory "the attack could also be used to link users to their destinations," which would undermine the fundamental project of the service.
Tor is a public, open-source system that allows journalists, activists, and government and law enforcement agencies to conduct work in secret with minimal risk of being monitored by surveillance operatives and intelligence networks. The service was previously funded by the U.S. government, but remains in the hands of thousands of developers. Only a few developers are able to commit code to the project to ensure the service's integrity, as well as to prevent the inclusion of backdoors.