Large-scale Online Deanonymization with LLMs

The Paper

"Large-scale online deanonymization with LLMs" was published in February 2026 by Simon Lermen, Daniel Paleka, Joshua Swanson, Michael Aerni, Nicholas Carlini, and Florian Tramèr - researchers across MATS, ETH Zurich, and Anthropic. The central claim is direct: LLM agents equipped with internet access can re-identify pseudonymous online users at scale, with precision-recall characteristics that make the attack practically usable. The best prior non-LLM methods achieve near 0% recall at 90% precision. The authors' pipeline achieves up to 68% recall at the same threshold. The conclusion: "practical obscurity protecting pseudonymous users online no longer holds."

Read the Paper on arXiv →

The Problem Before This Paper

Pseudonymous online accounts have historically relied on practical obscurity - the assumption that linking a username to a real identity required structured data or substantial manual effort. Classical deanonymization approaches like Narayanan and Shmatikov's Netflix Prize attack worked on structured, numerical datasets and did not generalize to unstructured text. Forum posts, comments, and pseudonymous transcripts required human analysis and did not scale. LLMs remove that constraint.

What They Built

The authors introduce the ESRC framework - a four-stage pipeline: Extract (an LLM summarizes posts into a biographical profile), Search (dense embeddings retrieve a candidate shortlist from a large pool), Reason (an LLM compares the profile against shortlisted candidates and selects the best match), and Calibrate (confidence scoring sets the operating precision-recall point). An agentic variant runs the full pipeline autonomously with internet access and no predefined candidate pool.

Key Findings

• LLM reasoning over biographical profiles drives the majority of the recall gain - embedding search alone achieves 26% recall at 90% precision; adding the Reason stage pushes this to 54-55% on the same task.
• The pipeline generalizes across three evaluation settings: cross-platform linking (HN to LinkedIn), within-platform community splits (Reddit), and temporal profile splits.
• Increasing reasoning effort - more capable models or more inference compute at the Reason stage - consistently improves recall, providing evidence that gains come from reasoning rather than memorization.
• The agentic variant with internet access achieves 67% recall at 90% precision on Hacker News users and 27% recall at 82% precision on Anthropic Interviewer participants from transcript alone.

Results

On the HN-LinkedIn dataset (987 matches, ~89,000 candidate pool): Search + Reason (high effort) achieves 54.2% recall at 90% precision and 45.1% at 99% precision, versus 0.1% for the Narayanan-Shmatikov baseline at both thresholds. On the temporal Reddit split (5,000 queries, 10,000 candidates): Search + Reason + Calibrate reaches approximately 33% recall at 99% precision, with projections suggesting ~45% recall at 90% precision scaled to 1 million candidates.

Why This Matters for AI and Automation

The practical obscurity assumption underpins forum moderation, pseudonymous research accounts, whistleblower channels, and anonymous peer review. This paper demonstrates that the assumption fails against an automated LLM pipeline built from publicly available models and standard APIs. Platform-level defenses designed for manual adversaries - rate limiting, pseudonymity policies, surface-level text anonymization - do not address the attack surface this work exposes. The threat is not hypothetical: the pipeline runs today on deployed models with no specialized infrastructure required.

My Take

The most consequential part of this paper is not the recall number - which will rise as reasoning models improve - but the implication for existing archives. Every major public forum has years of post history that can be analyzed retroactively as capabilities improve. Users who relied on pseudonymity did not consent to re-evaluation against future model generations. The authors chose to publish under a marginal-risk framing, arguing the capability already exists in deployed models. That framing is reasonable, but it also sets a precedent the community has not fully worked through yet.

Discussion question: Given that platform-level mitigations all assume a weaker adversary than a well-resourced LLM pipeline, is there a viable technical defense - or is the only durable path a legal and regulatory framework that treats large-scale automated profile linking as a distinct category of privacy violation?