Using commercially available APIs for AI systems, researchers have devised a way for large-scale language models (LLMs) to strip anonymity from pseudonymous online accounts at scale for just $1.41 per target.
In doing so, the researchers showed that the assumption that online identities are protected by anonymity is no longer so robust, as AI tools can quickly and cheaply identify users through their posts.
paper, Online de-anonymization at scale with LLM; A paper by researchers at ETH Zurich, the Machine Learning Alignment Theorist Program, and AI vendor Anthropic describes a pipeline that accurately identifies pseudonymous users with high accuracy.
The newspaper points to surveillance of journalists, dissidents and activists as a real threat.
Hypertargeted advertising that links anonymous forum posts to customer profiles and personalized social engineering at scale are other scenarios.
Even employees who rely on pseudonyms for protection could be exposed using researchers’ techniques.
Essentially, an LLM can take specific information such as location, conferences attended, professional hobbies, job title, etc. to narrow down who is likely to be that person.
For this study, the researchers built a four-step attack framework (Extraction, Search, Reasoning, and Proofreading) that they named ESRC.
It works by first extracting identity-related signals from unstructured posts, such as demographics, writing styles, collateral disclosures, interests, and language patterns.
Then, after semantic embedding searches for likely matches in the candidate pool, a second, more capable model infers the top candidates and verifies the best match.
The final tuning step controls the false positive rate and allows the attacker to trade off accuracy against the number of successfully identified users.
The researcher’s approach is based entirely on unstructured text and does not require structured data, predefined features, or the manual intervention of skilled researchers.
In researchers’ tests, the LLM pipeline achieved 45.1 percent recall with a 99 percent precision threshold during matching. hacker news Connect accounts across a pool of 89,000 users to your LinkedIn profile.
Previous automated methods achieved only 0.1% recall with the same precision.
In another test linking fake Reddit accounts over time, the full LLM pipeline identified more than a third of all users with 99% accuracy.
A partially edited dataset from Anthropic called “Interviewer” published last December was also used by researchers for testing.
Here, the LLM pipeline was able to uncover the identities of 9 of the 33 anonymized scientists extracted from the 1,250 interviews in the dataset.
The models used in the pipeline were xAI’s Grok 4.1 Fast, OpenAI’s GPT-5.2, and Google’s Gemini 3 Flash and Gemini 3 Pro.
No Claude models such as Sonnet or Opus were used in the tests, even though anthropologist Nicholas Carlini served as the paper’s advisor.
It is now possible to anonymize online users cheaply
Researchers estimate the cost of an agent pipeline to be between $1.41 and $5.64 (US$1-4) per target using standard commercial AI APIs.
Previous anonymization attacks of comparable effectiveness required structured datasets amenable to algorithmic matching, exploitable technical vulnerabilities, or significant manual effort by skilled investigators reserved for high-value targets.
The pipeline estimates Internet-scale datasets and has had considerable success, predicting a recall rate of about 35% with 90% accuracy for a candidate pool of 1 million users, the researchers said.
Researchers predict that future models will be even more accurate and less costly.
Guardrails are not a reliable defense
The researchers tested commercially available LLM safety guardrails during the experiment, but found them insufficient to prevent anonymization.
In some scenarios, agents refused assistance, but small changes to the AI prompts prevented those refusals each time.
The ESRC pipeline divides the attack into steps such as profile summarization, embedding computation, and candidate ranking.
This step-by-step approach has the effect of resembling normal, benign usage, making automatic misuse detection less reliable.
According to the researchers, the threat extends beyond commercial API access entirely because safety guardrails can be removed in an open source model and there is no usage monitoring in open source deployments.
Researchers suggest rate limiting API data access, automatic scraping detection, and export limits on large amounts of data as the most practical short-term mitigations, placing the primary burden of response on the platform rather than the AI provider.
They stopped publishing their pipeline code and processed datasets prematurely, citing the risk of further lowering the barrier to malicious actors.
The researcher’s preprint paper has been posted to arXiv and is awaiting peer review.
