GEOIP of exit node returns country different from the one detected by a website. May be a MiTM
It may be a MiTM attempt: browser <-> Tor <-> malicious exit node <-> Tor <-> exit node <-> website
This way a malicious exit node can analyze traffic or inject malware offloading most of legal risks to another exit node.