A team of researchers just put a dollar figure on online pseudonymity. It's not encouraging.
Researchers at ETH Zurich and Anthropic built an automated pipeline that links anonymous online accounts to real identities using large language models. They ran it against 338 Hacker News users whose pseudonymous profiles had been scrubbed of every direct identifier. Names, URLs, social handles, all of it gone. The system correctly matched 226 of them to their real LinkedIn profiles at 90 percent precision. Each identification cost between one and four dollars. The entire experiment came in under $2,000.
Let that land for a second. Not the accuracy, which is striking enough. The price. For less than what a mid-range laptop costs, six researchers stripped the anonymity from two-thirds of a user population on one of the internet's most technically literate forums. They published their findings in late February, noting that performance will only improve as models get better and API costs keep dropping.
The paper is titled "Large-scale online deanonymization with LLMs," and the coverage has been appropriately alarmed. Bruce Schneier flagged it on his blog. Ars Technica ran a full breakdown. The Register called pseudonymity a potential casualty of AI proliferation. But most of the discussion has centered on the wrong variable. The conversation keeps circling around capability, what LLMs can now accomplish, as if this were some novel technical achievement. It isn't. The real story is about price.
The Breakdown
- Researchers linked 226 of 338 anonymous Hacker News accounts to real LinkedIn profiles at 90% precision, costing $1-4 per identification
- The pipeline uses standard LLM tasks (summarizing, embedding, comparing) that individually bypass safety guardrails
- At 89,000 candidates, identification still held at 55%; even at 1-in-10,000 odds, 9% were matched at high confidence
- Commercial data brokers and falling API costs will push the per-identification price lower
Pseudonymity was always a pricing problem
Deanonymization is not new. Latanya Sweeney proved it two decades ago with three data points. ZIP code, gender, date of birth. That was enough to single out 87 percent of Americans. The 2008 Netflix Prize attack linked "anonymous" movie ratings to real IMDb profiles. Researchers have been proving for two decades that anonymity in public datasets is a fiction.
But those attacks required structured data. Matching rows in spreadsheets. Aligning schemas between databases. They demanded significant human labor or carefully formatted inputs that rarely existed outside controlled experiments. Online pseudonymity survived for one reason. Breaking it cost more than the result was worth.
Your Reddit throwaway was safe, sure. The way a house with no lock is safe when nobody walks by.
Simon Lermen co-authored the paper. He put the finding in direct terms. "Ask yourself: could a team of smart investigators figure out who you are from your posts?" he wrote on Substack. "If yes, LLM agents can likely do the same, and the cost of doing so is only going down."
That framing is what matters. Nobody's anonymous account was protected by technology. Economics did all the heavy lifting. Pseudonymity was a price tag on your identity, not a lock on it. And LLMs just slashed the sticker.
The pipeline that doesn't look like an attack
What makes this paper different from previous deanonymization work, and genuinely dangerous, is how ordinary each step looks.
The system reads posts and builds a profile of each user. Demographics, interests, incidental disclosures. It converts those profiles into numerical embeddings, then searches for candidate matches across thousands or millions of identities. An LLM reasons over the top results, cross-references details, flags contradictions, assigns a confidence score.
No single step would trip a safety guardrail. Summarizing posts is normal LLM usage. Generating embeddings is normal LLM usage. Comparing profiles is normal LLM usage. The researchers acknowledged this directly. "Our deanonymization framework splits an attack into seemingly benign tasks that individually look like normal usage, making misuse hard to detect," they noted.
And guardrails, for what they're worth, barely slow things down. The researchers reported that LLM agents occasionally refused certain requests, but "this could be avoided with small prompt changes." Open-source models skip the question entirely. The whole framework runs on standard embeddings and standard reasoning. No jailbreak required. No exotic technique.
You can't patch this. "AI reads your public posts and figures out who you are" is not a bug in any system. The information was always there, sitting in the open. Someone just automated the reading.
Join 10,000+ AI professionals
Strategic AI news from San Francisco. No hype, no "AI will change everything" throat clearing. Just what moved, who won, and why it matters. Daily at 6am PST.
No spam. Unsubscribe anytime.
The scaling numbers should worry you more than the headline stat
Most coverage fixated on 67 percent recall at 90 percent precision. Impressive. Not the number that should keep you up, though.
Look at how the attack scales instead. Against a pool of 1,000 candidates, the pipeline hit 68 percent true matches at 90 percent precision. Expand that pool to 89,000, closer to the size of a real platform community, and identification still held at 55 percent. Even when the prior probability of a match dropped to one in 10,000, the approach managed 9 percent true matches while keeping precision at 90 percent.
Run those numbers against a full-size platform. Reddit alone has something like 100 million people showing up every month. Nine percent of that figure, at high confidence, means nine million accounts potentially linked to real names. Not through data breaches or hacking. Through reading public posts and cross-referencing public profiles.
The trajectory bends in one direction only. Lead researcher Daniel Paleka told BankInfoSecurity that deanonymization capability "scales predictably with model improvements." In one experiment matching Reddit users across movie discussion subreddits, switching from low to high reasoning effort roughly doubled the correct identification rate at the strictest precision threshold. Models keep getting better at reasoning. Costs per token keep falling. Both curves are accelerating on the same timeline.
Who wins when the price tag disappears
The implications sort along familiar lines, but the edges are sharper than most privacy research produces.
Governments, emboldened by cheap access, gain a capability they always wanted but couldn't deploy at scale. A motivated intelligence service could always unmask a specific dissident with enough analyst hours. Running that same process against every pseudonymous account in a protest movement was prohibitively expensive. At one to four dollars per identification, it becomes a rounding error in any national security budget. The researchers weren't trying to build a surveillance tool. That part is worth believing. But the blueprint is sitting right there in the methodology, and any competent engineering team could pick it up tomorrow.
Corporate surveillance reconfigures around the same price collapse. Forum-mining for advertising profiles was always theoretically possible but practically useless, because linking anonymous posts to purchasable identities required manual detective work. If that link now costs a few dollars per person, the entire data broker economy inherits a new inventory category. Your anonymous post about a health condition in a support community becomes a lead that can be packaged and sold.
Social engineering gets personal. Every post you've written under a pseudonym becomes raw material for a targeted phishing campaign. Not the generic "Dear Customer" variety. The kind that references the conference you mentioned attending and the niche programming language you complained about in a forum thread three years ago.
Platforms feel the anxiety most acutely. Reddit, Hacker News, and every community that promises pseudonymity now face a question they've never had to answer with urgency. If anonymous usernames can no longer protect identity, what exactly are the platform's obligations? The researchers proposed mitigations. Rate limits and scraping detection. Restrictions on bulk data exports. Speed bumps on a highway. And they only work if platforms choose to build them. The posts are already public.
The ceiling, not the floor
The research team was careful with caveats. Recall rates vary depending on how much content a user has posted and how distinctive their interests are. The pipeline still makes errors. It declined to guess on a quarter of the Hacker News targets where confidence was insufficient.
But the researchers also didn't try particularly hard. Standard commercial models, no fine-tuning, no specialized training data, no access to commercial people-search databases. Lermen speculated separately about what happens when you pair LLM deanonymization with the commercial data broker industry, which moves hundreds of billions of dollars in personal data transactions every year. The cost per identification drops further. Precision rises.
Don't mistake that four-dollar figure for a floor. More like the sticker on the first day of a clearance sale.
You've probably operated for years under the assumption that your pseudonymous accounts protect you because nobody has enough motivation to connect them to your real name. That was true when "enough motivation" meant hiring a team of investigators or writing custom matching algorithms. It holds up worse when it means a few API calls that cost less than a coffee.
The paper's authors were blunt about it. "The practical obscurity protecting pseudonymous users online no longer holds and threat models for online privacy need to be reconsidered."
They're right. But the obscurity was never the protection. The price was. And that price just cratered.
Frequently Asked Questions
How did the researchers strip identifiers before testing?
They removed names, URLs, social handles, and every direct identifier from 338 Hacker News profiles, leaving only post content and metadata for the LLM pipeline to work with.
Why can't AI safety guardrails prevent this?
The pipeline splits deanonymization into ordinary tasks: summarizing posts, generating embeddings, comparing profiles. Each step looks like normal LLM usage. The researchers noted that small prompt changes bypassed any refusals.
Does posting less protect you?
Partially. Recall rates vary with how much content a user has posted and how distinctive their interests are. The pipeline declined to guess on about a quarter of targets where confidence was insufficient.
What mitigations did the researchers propose?
Rate limits on API access, scraping detection, and restrictions on bulk data exports. They acknowledged these are speed bumps, not barriers, especially since the posts are already public.
How does reasoning effort affect accuracy?
Switching from low to high reasoning effort roughly doubled the correct identification rate at the strictest precision threshold, meaning better models will perform significantly better at the same cost.
