LLMs Can Now Figure Out Who's Behind Any Pseudonym — For Just $4

Posting under a pseudonym has long felt like a reasonable privacy protection. Your username isn’t your name. Your throwaway account doesn’t have your email. Nobody’s going to go to the trouble of piecing it all together. That implicit assumption just broke.

Researchers from ETH Zurich, MATS, and Anthropic published a paper this month showing that LLM agents can deanonymize pseudonymous online accounts at scale, automatically, for $1–$4 per person — matching what would take a skilled human investigator hours. The classical methods that made this hard before? Near-zero success. The LLM pipeline? Up to 68% recall at 90% precision.

• LLM agents autonomously re-identified 67% of Hacker News users at 90% precision from pseudonymous profiles alone
• The scalable pipeline achieves 45.1% recall at 99% precision on HN→LinkedIn matching, vs. 0.1% for the best classical method
• 9 of 33 Anthropic Interviewer scientists were re-identified from partially redacted transcripts — without any safety-bypass tricks
• Extrapolated to 1 million candidates, the LLM pipeline retains ~45% recall at 90% precision; classical methods collapse to zero
• ~33% of Reddit users can be linked across a 1-year time gap at 99% precision
• Total experiment cost: under $2,000, using only publicly available APIs

What “Deanonymization” Actually Means Here

Deanonymization is a matching problem: given a pseudonymous online profile, find the real person behind it — or link it to their other accounts.

This isn’t new in theory. The famous Netflix Prize attack (2006) showed that anonymous movie ratings could be matched to public IMDb profiles using just a handful of overlapping movies. But that required structured, numerical data. Online posts are messy, unstructured, and spread across platforms. Manual deanonymization was expensive enough that only high-value targets were ever worth attacking.

LLMs change the cost structure entirely. The same signals a skilled investigator would notice — career history, writing quirks, mentioned projects, opinion patterns, incidental disclosures — can now be extracted automatically, embedded into vectors, and matched against millions of profiles. What once took hours per person now takes minutes and a few API calls.

The paper formalizes this into a four-stage pipeline they call ESRC:

1. Extract — An LLM reads unstructured posts and pulls out identity-relevant features: demographics, job history, interests, writing style, location signals, things mentioned in passing
2. Search — Those features are embedded into dense vectors and searched against a candidate pool using FAISS nearest-neighbor lookup
3. Reason — A more capable LLM (with extended reasoning) reviews the top-100 candidates and picks the most likely match — or abstains if nothing fits
4. Calibrate — LLM-produced confidence scores are thresholded to control the false positive rate, letting you tune the precision/recall tradeoff

Each step is modular. The paper ablates them individually, so you can see exactly how much each one contributes.

The Numbers Are Hard to Dismiss

Hacker News → LinkedIn (987 profiles, 89,000-user candidate pool):

The classical baseline — a rarity-weighted Jaccard similarity over 332 professional attributes, essentially the Netflix Prize approach adapted for career data — achieves 0.1% recall at 90% precision. Embedding search alone hits 26.3%. Adding LLM reasoning jumps it to 54–55%. Switching to high-effort reasoning gets 45.1% recall at 99% precision, where one in a hundred guesses is wrong.

The scaling results are what make this feel real. As the candidate pool grows from 1,000 to 89,000 users, recall at 90% precision drops from 68.3% to 55.2% — a loss of only 13 percentage points across nearly two orders of magnitude. Log-linear extrapolation to 1 million candidates projects ~45% recall at 90% precision. Classical methods reach zero long before that.

Reddit temporal splits (5,000 users, 1-year gap between profiles):

This experiment is the most adversarial. A user’s comments are split into a before and after window separated by one year. Same person, different timeframe, no shared current-events context. The attacker has to find stable signals — interests, writing patterns, long-term life circumstances — that persist across the gap.

The classical baseline fails completely. The LLM pipeline (Search + Reason + Calibrate) identifies approximately one-third of users at 99% precision. At 90% precision it approaches the theoretical ceiling imposed by how often the correct match falls in the top-15 candidates at all (~80%).

The Anthropic Interviewer transcripts:

Anthropic released 125 partially-redacted interview transcripts of scientists discussing their AI use. The authors ran their agentic pipeline on 33 of them — without any safety bypasses — and identified 9 at 82% precision. A previous paper using task-decomposition to circumvent model safeguards found 6 out of 24. This pipeline found 50% more, with no tricks.

Why This Is Harder to Defend Than It Sounds

The obvious mitigations don’t work well here, and the paper is candid about why.

Rate limits and scrape detection can slow things down but don’t stop a patient attacker. The data being used — posts, comments, bios — is already publicly available.

LLM safety guardrails are limited because none of the individual steps look suspicious. Summarizing a profile is benign. Computing embeddings is benign. Asking an LLM to compare two profiles is benign. The attack is assembled from ordinary API calls.

Classical anonymization frameworks like k-anonymity and differential privacy were designed for structured databases. They don’t account for rich unstructured text where identity signals are semantic, not explicit. Even LLM-based text anonymization (removing names, handles, links) leaves enough residual context for re-identification, as the paper demonstrates in its experimental setup.

The authors point out one important nuance on memorization: LLMs might partially succeed because they’ve seen Reddit and Hacker News in training. But increasing reasoning effort substantially improves results in ways that pure memorization can’t explain — the model is doing genuine inference, not recall. And even if memorization plays a role, that doesn’t reduce the threat; it just means platforms in training corpora are more exposed than those that aren’t.

What This Means for Pseudonymous Users

The paper is direct about the implications. Threat actors who could previously only afford to deanonymize high-value targets can now run this at scale:

• Governments linking pseudonymous accounts to dissidents, journalists, and activists
• Corporations connecting anonymous forum posts to customer profiles for advertising
• Stalkers and harassers building target profiles automatically
• Social engineering attacks built on detailed personal histories scraped from public posts

The only concrete defense the paper endorses is behavioral: don’t assume posting under a pseudonym is private. Every piece of micro-data you share — a job change, an opinion on a movie, a mention of where you went to school — narrows the match. More posts, more exposure. More specificity, faster identification.

At 90% precision, the pipeline still identifies ~9% of users even when only 1 in 10,000 queries has a true match in the candidate pool. The math doesn’t require most users to be identifiable for the attack to be practically useful. It just needs a few.

The code and datasets are not being released. The paper was approved by ETH Zurich’s Ethics Review Board.