If you were on X or LinkedIn the other week, you probably saw some version of this claim:

Your anonymous internet identity can now be unmasked for $1.

A research paper from ETH Zurich and Anthropic titled “Large-scale online deanonymization with LLMs” made the rounds, and the reaction was predictably alarmist.

Posts racked up millions of views. The framing was almost universally that AI has killed online anonymity, your Reddit throwaway is compromised, and it only costs a dollar.

Here’s a sample (pardon the language):

After reading the actual paper (twice), we decided the reality is more nuanced than the headlines suggest, but it’s also more concerning in ways that most of the social media commentary missed entirely.

The short version:

the current results are uneven, and the “unmask anyone for $1” framing is an exaggeration. But the trajectory of this technology is what should concern you.

The techniques demonstrated in this paper will get better, fast. And most people’s online habits are not remotely prepared for where this is heading.

This post tackles the following:

1. What the researchers actually found (and what they didn’t)

2. Explains the four-step pipeline that makes this work

3. Gives you our honest take on where the real risk sits today

4. Then walks through a concrete defensive playbook for future-proofing your digital anonymity before this technology matures.

Let’s start with what actually happened.

What the Researchers Actually Found

The paper tests several different scenarios, and the results vary widely.

In the most impressive demonstration, the researchers gave an AI agent anonymized interview transcripts from 33 scientists and asked it to figure out who they were. No names, no usernames, no direct identifiers.

The agent searched the web on its own, cross-referenced details against published papers and university profiles, and correctly identified 9 of the 33 scientists. When it made a guess, it was right 82% of the time. (source)

In a separate test on Reddit, the system matched pseudonymous users to their real identities at rates between 25% and 52%, depending on the community.

Those are real results, and they’re concerning. But let’s put them in perspective: most people in these experiments were not identified. A 27% success rate is not the all-seeing surveillance tool the viral posts implied.

So why are we still writing about this?

Three reasons.

First, the cost: the entire experiment cost about $2,000, roughly $1 to $4 per person targeted. A year ago, this kind of investigation would have required a skilled human spending hours on a single target.

Second, the comparison to older methods: classical deanonymization techniques scored close to 0% on these same tasks. LLMs didn’t just improve the old approach. They made an entirely new category of attack possible.

Third, and most important, the trajectory: the researchers found that simply increasing the model’s reasoning effort doubled the success rate in some tests. As models get smarter and cheaper (both of which are happening fast), these numbers will climb.

To understand why this works and where you’re vulnerable, you need a simple framework.

The Mental Model: Death by a Thousand Data Points

Think of every piece of information you share online as a coordinate on a map. Your city is one coordinate. Your profession is another.

The programming language you use, the dog breed you own, the college you attended, the subreddit you comment in. Individually, none of these coordinates are identifying. Millions of people live in Portland. Thousands are software engineers. Hundreds have golden retrievers.

But the intersection of all your coordinates is almost certainly unique. There’s probably only one software engineer in Portland who has a golden retriever named Biscuit, graduated from Stanford, and has strong opinions about the Rust programming language.

In privacy research, these little details are called “micro-data.”

The concept goes back to Latanya Sweeney’s landmark research in the late 1990s, where she demonstrated that 87% of the U.S. population could be uniquely identified using just three data points: ZIP code, gender, and date of birth. (source) That finding was later debated (some researchers put the figure closer to 63%), but the core principle is that combinations of ordinary facts about you form a fingerprint.

The problem has always been that exploiting this was hard.

Your micro-data was scattered across different platforms, buried in unstructured text, and connecting the dots required a skilled human investigator spending hours or days on a single target. That made mass deanonymization impractical. Only high-value targets (journalists, activists, political dissidents) were worth the effort.

LLMs remove that bottleneck.

How the Attack Actually Works

The researchers designed a four-step framework they call ESRC: Extract, Search, Reason, Calibrate. Understanding each step matters because it reveals where you’re most vulnerable.

Extract. An LLM reads all of your posts on a given platform and builds a structured profile. It pulls out stated facts (you mentioned living in Austin), inferred facts (you seem to be in your 30s based on cultural references), and incidental disclosures (you mentioned walking your dog through a specific park). The model is remarkably good at this. It picks up on things you’d never think to scrub, like:

• spelling patterns that reveal your nationality

• niche technical knowledge that narrows your field

• opinions on local politics that pin you to a region

Search. Your extracted profile gets converted into a mathematical representation (an embedding) and compared against a database of candidate profiles. In the Reddit experiment, the candidate pool was 10,000 users. The system uses semantic similarity to find the closest matches, returning the top candidates most likely to be you.

Reason. This is the step that separates AI deanonymization from older techniques. Instead of simply returning the closest mathematical match, the system feeds the top candidates into a more powerful reasoning model. That model examines each candidate’s profile against yours, looking for confirming evidence and contradictions. It weighs rare attributes more heavily than common ones. It catches false positives that pure pattern-matching would miss.

Calibrate. Finally, the system assigns a confidence score. When it’s uncertain, it abstains rather than guessing wrong. This is what gives the attack its high precision. In fact, the researchers tuned it so that when the system does make a prediction, it’s right roughly 9 out of 10 times.

The researchers benchmarked their approach against a classical technique modeled on the famous Netflix Prize deanonymization attack from 2008, where researchers proved they could identify Netflix users by matching their anonymous movie ratings against public IMDb profiles. (source)

Across every experiment mentioned above, the classical method achieved close to 0% success on unstructured text. Not low success. Effectively zero.

What this means is that before LLMs, there was no viable way to deanonymize people from the kind of content they actually post online.

The Full Picture: What They Tested and What It Actually Proves

The researchers ran several different experiments. It’s important to understand what each one does and does not demonstrate, because the headlines tend to blur them together.

Experiments that actually unmask real identities:

The scientist interviews and the Reddit-to-real-identity tests are the most relevant results for most people. These show the system taking anonymous text and producing a real name.

The success rates (25-52% on Reddit, 27% on interview transcripts) are moderate but meaningful, especially at the price point. And the system is selective. When it isn’t confident, it abstains rather than guessing wrong, which means the guesses it does make are right roughly 80-90% of the time.

Cross-platform professional matching:

The researchers also collected 987 LinkedIn profiles linked to Hacker News accounts and tried to match them. After stripping out names, URLs, and other direct identifiers from the Hacker News side, the LLM pipeline correctly matched 55% of users at 90% precision, climbing to 45% recall even at 99% precision. (source)

A significant caveat: these users had voluntarily linked their Hacker News and LinkedIn accounts, which means they probably weren’t trying to stay anonymous. People who publicly connect accounts across platforms tend to share more identifying details in their posts. The researchers acknowledge this bias. This number likely overstates the success rate against a genuinely privacy-conscious user.

Experiments that link anonymous accounts to each other (but don’t reveal real names):

The researchers also tested whether the system could determine that two anonymous accounts belong to the same person. This is different from unmasking someone, but it’s still a serious threat. If an attacker can link your throwaway Reddit account to your main account, or connect your posts across different forums, they can build a much richer profile even without knowing your name.

In the strongest of these tests, they split 5,000 Reddit users’ comment histories into “before” and “after” halves separated by a one-year gap, then tried to match them. The full pipeline correctly re-linked 67% of users at 90% precision from a pool of 10,000 candidates. (source)

In a harder test using movie discussions across different subreddits, success rates were lower but still meaningful. Users who discussed ten or more of the same movies were identified at a 48% rate. Users who shared only a single movie title were caught just 3% of the time. (source)

The classical (non-AI) baseline achieved close to 0% in both of these scenarios.

What the scaling projections suggest:

When the researchers extrapolated their results to larger candidate pools (closer to real-world scale), the numbers dropped but didn’t collapse. At a projected 1 million candidates, the LLM approach still estimated roughly 35% recall at 90% precision for account linking. (source - figure 7a) These are rough projections, not guarantees. But they suggest that even at internet scale, the approach doesn’t just fall apart.

Our Take: Not an All-Seeing Eye, But the Threat Is Real for Specific People

We covered the cost and trajectory arguments above, so no need to repeat them. Instead, let’s focus on who should actually be concerned right now, because the answer isn’t “everyone equally.”

Even at today’s moderate success rates, this technology is dangerous for people in specific situations.

If a government wants to identify activists posting on an anonymous forum, they don’t need to unmask everyone. Identifying 25-30% of the users, with high confidence, is more than enough to have a chilling effect. If someone going through a bitter divorce wants to find their ex-spouse’s anonymous Reddit account, they only need to succeed once.

The researchers flag governments targeting journalists, corporations building advertising profiles from forum posts, and attackers crafting targeted social engineering campaigns. Here’ a more mundane threat that is underappreciated:

anyone in a personal dispute with both motivation and a few hundred dollars. Custody battles, workplace conflicts, stalking. The barrier to running this kind of investigation has dropped from “hire a professional investigator” to “use an API.”

And remember, the 25% rate today could be 50% in a year. The account-linking capability that hits 67% today could approach near-certainty on active users. The time to build good habits is before you need them.

What Legislators and Platforms Are Getting Wrong

Most privacy regulation was designed for a world where the threat was structured data, such as databases, tracking cookies, browsing histories. The regulations ask companies to anonymize datasets by removing names and direct identifiers. The entire framework of data protection, from GDPR’s pseudonymization provisions to HIPAA’s Safe Harbor method, assumes that if you strip out the obvious identifiers, the remaining data is reasonably safe.

This research demonstrates that unstructured text (your comments, your posts, your forum contributions) is just as identifying as structured data, possibly more so. And no current regulatory framework addresses this. The data that makes online communities valuable is the same data that makes you identifiable.

Platforms aren’t much better positioned. Reddit, Hacker News, and most forums make user post histories publicly accessible by default. That’s a design choice that made sense when parsing those histories required human effort. It makes far less sense when an AI can process every comment you’ve ever written in seconds.

Whether the current success rates worry you or not, the direction is clear. And the defensive steps that work against today’s pipeline will work even better against tomorrow’s. The attack has specific vulnerabilities at each stage, and understanding those vulnerabilities gives you a real playbook for reducing your exposure.

Your Defensive Playbook: Disrupting Each Stage of the Attack