OK, I get it. I think. They're not deanonymizing users. They're deanonymizing hidden services that are (perhaps) improperly configured to serve direct as well as via Tor. They're using Shodan to find hosts serving hidden services. Then they're somehow matching text served direct with text served via Tor. Maybe they're just getting all of the hits and looking. Or maybe they're refining the search in Shodan.