Once and it's a fluke. Twice and I start keeping an eye out.

A few days back I found and noted this visit (here I've obfuscated a little more than in the original post [webmasterworld.com]):

66.249.73.132 - - [17/Mar/2013:18:38:49 -0700] "GET /paintings/dir1/dir2/filename.jpg HTTP/1.1" 200 4811 "http://example.de/name1/name2" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Naturally I had a look at the named referer and found your basic hotlinking page. The googlebot does occasionally give a referer when asking for an image or other subsidiary file; this one just happened to be a hotlink, so they started out on someone else's site. Shrug, move on, file and forget.

And then I find another one. Again, the identical IP that the googlebot uses in its ordinary visits.

66.249.73.132 - - [21/Mar/2013:06:54:58 -0700] "GET /paintings/dir1/dir2/othername.jpg HTTP/1.1" 200 4228 "http://example.com/3/morestuff" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

/dir1/dir2/ are the same both times, but this may be coincidence; the file itself is different.

The noteworthy bit: Hotlinker #1-- which happened to be German-- could be passed off as the generic hotlinker. Didn't look very closely. (It was definitely not google.de image search, as suggested at the time.) Hotlinker #2 is unequivocally pure spam [google.com]. Based in the US, registered with GoDaddy, yawn.

I seriously doubt this has anything to do with my site. It's the googlebot investigating ... what, exactly?

I Am Suspicious.