That alt account you use to post about your employer? The throwaway for discussing your health issues? The pseudonym you’ve maintained for years to speak freely about controversial topics? A new study shows AI can link them all back to you - quickly, cheaply, and at scale.
Researchers at ETH Zurich and Anthropic have built an automated system that unmasks pseudonymous online accounts with 67% accuracy at 90% precision. The cost? Between one and four dollars per person. The entire study ran for under $2,000.
The paper, “Large-scale online deanonymization with LLMs,” doesn’t reveal some theoretical future risk. It demonstrates a working attack that makes mass deanonymization accessible to anyone with a credit card.
How the Attack Works
The system operates in four stages. First, it extracts identity-relevant features from your posts - the kind of stuff you don’t think about. Not just what you say, but how you say it, what topics you return to, the vocabulary quirks you don’t realize you have.
Second, it searches for candidate matches using semantic embeddings - essentially finding people across the internet whose posts “feel” similar to yours. Third, it reasons over the top candidates, cross-referencing clues the way a human investigator would, but faster and cheaper. Finally, it assigns confidence scores to calibrate its predictions.
The researchers tested this against nearly 1,000 Hacker News profiles, almost 10,000 Reddit users, and anonymized interview transcripts. The results were stark.
In one experiment matching Hacker News users to LinkedIn profiles - with all direct identifiers like names and URLs removed - the agent correctly identified 226 of 338 targets. That’s two-thirds of users exposed from nothing but their public posts.
For comparison, classical deanonymization methods achieved just 0.1% recall at the same precision level. The LLM approach represents a 450x improvement.
Why This Matters Now
The internet’s privacy model has long relied on what researchers call “practical obscurity.” Yes, a determined investigator could probably figure out who you are - but it would take hours of manual work per target. That effort barrier protected most people most of the time.
LLMs destroy this assumption.
“Pseudonymity does not provide meaningful protection online,” the researchers warn. “Users who post under persistent usernames should assume that adversaries can link their accounts to real identities or to each other.”
The implications ripple outward:
For journalists and activists: Governments can now affordably identify dissidents, whistleblowers, and sources at scale. A regime with $10,000 to spend could attempt to unmask 2,500 to 10,000 pseudonymous critics.
For employees: That anonymous post complaining about your company’s practices? It’s linkable to your professional identity for the cost of a coffee.
For anyone with a “throwaway”: The whole point of a burner account is separation from your main identity. AI collapses that separation.
As lead researcher Simon Lermen put it: “The combination is often a unique fingerprint. Ask yourself: could a team of smart investigators figure out who you are from your posts?”
If the answer is yes, AI can now do it automatically.
The Defense Problem
The obvious question: can’t you just use AI to disguise your writing style?
Researchers have explored this. The concept is called “adversarial stylometry” - using tools to normalize your writing, strip identifying quirks, or imitate other authors. Some tools exist, and you could certainly prompt an LLM to rewrite your posts.
But there’s a catch. The arms race heavily favors detection over obfuscation. Humans struggle to consistently alter their subconscious writing habits across hundreds of posts over years. You’d need to remember to mask your style every single time - and the detection system only needs you to slip once to build a profile.
The researchers found that even when users tried to alter their writing style, the deanonymization often still worked. Your interests, your knowledge domains, the times you post, the topics you avoid, the specific details you mention in passing - these patterns persist even through deliberate obfuscation.
What You Can Actually Do
The paper and subsequent analysis suggest several defensive measures, though none are perfect:
Compartmentalize ruthlessly. If you need a pseudonymous presence, treat it like a separate person. Different email, different browser, different device if possible. Never mention identifying details - not your city, not your profession, not your hobbies, not your age. The combination of “lives in Portland, works in healthcare, enjoys rock climbing” might uniquely identify you.
Limit your footprint. The more you post, the more data points you give attackers. Pseudonymous accounts used for occasional comments are harder to fingerprint than prolific posting histories.
Don’t cross-link. Never use the same username across platforms. Don’t reference your other accounts. Don’t discuss the same niche interests on your anonymous account that you discuss on your public one.
Consider ephemeral accounts. Instead of maintaining long-running pseudonyms, use truly disposable accounts that you abandon regularly. The deanonymization attack works best against persistent identities with substantial post histories.
Recognize the limits. If you genuinely need anonymity - whistleblowing, activism under authoritarian regimes, discussing stigmatized topics - understand that pseudonymity alone is no longer sufficient. You need operational security practices that go beyond just picking a fake name.
Platform and Provider Responses
The researchers also suggest system-level defenses:
Platforms could enforce rate limits on API access to user data, detect automated scraping, and block bulk data exports. If it’s harder to collect the corpus of posts needed for deanonymization, attacks become less practical.
LLM providers could monitor for deanonymization misuse and build guardrails that make models refuse such requests. Of course, this doesn’t stop attacks using open-source models or self-hosted inference.
Neither solution is foolproof. Determined adversaries can circumvent rate limits through distributed collection. Open-weight models can’t refuse anything.
The Uncomfortable Reality
This research doesn’t describe a hypothetical threat - it’s a working system that researchers built for under $2,000. The code isn’t public, but the techniques are reproducible by anyone with access to modern LLMs and some engineering skill.
The old internet assumption - that your posts are protected by obscurity, that no one would bother connecting the dots - is now obsolete. The practical obscurity that protected pseudonymous users for decades has evaporated.
If you’re posting anything you wouldn’t want attached to your real name, you need to assume it can be. Plan accordingly.
The Bottom Line
AI has made mass deanonymization cheap and accessible. Your pseudonym provides weak protection at best, and probably none at all against a motivated adversary with a few dollars to spend. The privacy implications are profound and immediate - this isn’t a future risk, it’s a current capability.