Of course they can do that, but they wouldn't do it with the Browser Bundle running on their DEA office computer. There is a command line version of Tor with no Vidalia, which is what most Tor relays are running. It's possible that LEA in various countries are operating some of these relays. The easiest attack is simple timing / traffic analysis. If LE controls your entry guard and exit node, they can see who you are and what site you are accessing. The probability of picking two malicious nodes like that is (c/n)^2, where c = number of malicious relays, n = total number of relays. It's more complicated than that, because your client picks relays with a probability weighted by bandwidth, but lets go with that as a first approximation. If the DEA operated 50 relays, the chances that you pick 2 of them for your entry and exits is (50/3000)^2 = 1/3600. That's a relatively small chance for a rather large number of relays that they would have to operate, however, if you picked different entry nodes every ten minutes (when you build a new circuit), you would quickly get pwned (on the order of weeks). But that's why entry guards exist. You stick with three of them for a few months at a time, so it would take years to cycle through them until you picked from the DEA nodes. That's on average. Some people would get pwned faster than others. It's the luck of the draw. But the point is that the entry guards greatly improve your safety, which is why you should not follow the advice of some "improve your Tor performance" guides that say to increase the entry guards to 8. That can potentially get you pwned faster. All of this only applies to visiting clearnet sites. There are no exit nodes with hidden services. LE can't do a traffic confirmation attack because they don't know where the other end of the circuit is (although there are some well known attacks for identifying hidden services).