Once and it's a fluke. Twice and I start keeping an eye out.
A few days back I found and noted this visit (here I've obfuscated a little more than in the original post
126.96.36.199 - - [17/Mar/2013:18:38:49 -0700] "GET /paintings/dir1/dir2/filename.jpg HTTP/1.1" 200 4811 "http://example.de/name1/name2" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
Naturally I had a look at the named referer and found your basic hotlinking page. The googlebot does occasionally give a referer when asking for an image or other subsidiary file; this one just happened to be a hotlink, so they started out on someone else's site. Shrug, move on, file and forget.
And then I find another one. Again, the identical IP that the googlebot uses in its ordinary visits.
188.8.131.52 - - [21/Mar/2013:06:54:58 -0700] "GET /paintings/dir1/dir2/othername.jpg HTTP/1.1" 200 4228 "http://example.com/3/morestuff" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
/dir1/dir2/ are the same both times, but this may be coincidence; the file itself is different.
The noteworthy bit: Hotlinker #1-- which happened to be German-- could be passed off as the generic hotlinker. Didn't look very closely. (It was definitely not google.de image search, as suggested at the time.) Hotlinker #2 is unequivocally pure spam
[google.com]. Based in the US, registered with GoDaddy, yawn.
I seriously doubt this has anything to do with my site. It's the googlebot investigating ... what, exactly?
I Am Suspicious.