His was using a static IP last year. If it is him, his ISP should have logs showing him connecting to the proxy server(s) that was used in the recent attack on Moo during the recent attack.
No, that won't work. See
https://www.torproject.org/about/overview.html.en#whyweneedtorTL;DR: The ISP would only see that the user has connected to tor (and maybe not even that if the perpetrator knows how to use a bridge). The target site only sees someone coming from a TOR exit-node IP address. There is no direct way to connect these two. You could try to perform some time based analysis but that would require access to some very accurate packet logs, and that alone still would not be enough to legally tie the user to the tor activity.
One possibility would be to attempt to reveal the identity through some external application by luring the perpetrator to open some file while browsing with tor. This only works if the perpetrator is careless enough to mix normal and tor browsing.
