Although the TOR Project’s policies might have left the door open to allow this sort of security breach to happen, that in no way excuses those who took advantage of a situation to execute this exploit. Nor does the fact that the malware installed on TOR users’ computers did no harm other than calling home with an identification report make make this any less of a cybercrime. If you leave the door to your house unlocked and I sneak in and merely look around a bit before exiting, I am still guilty of trespassing and breaking and entering, even though I did no harm.