This may be easier than it looks, since the number of users who fit the behavioral profile of SR vendors (ie, logging on daily) is about 20 in a city with 100K people, and 200 in a city with 1M people: http://dkn255hz262ypmii.onion/index.php?topic=158464.msg1124077#msg1124077 Read that post, then read the one below it where I update my estimate. Here's what LE could do. They find a vendor who is selling a range of drug amounts, like 1 gram up to an ounce of cocaine. They check the reviews to make sure the vendor is getting sales and actually pushing that product. This would be someone with many ounces of cocaine. Then they buy 1 gram off the vendor. Only costs $150 and they know the vendor's city. They hand the ISP a list of Tor entry guards and known bridges, and request the subscriber info of everyone who connects to those IP addresses, say 5 days out of the next 7 days. In a week they are down to a list of 10 - 200 people. They start watching those subscribers and messaging the vendor, looking at the response times, so it's basically a low grade correlation attack, similar to what they did to this guy: http://arstechnica.com/tech-policy/2012/03/stakeout-how-the-fbi-tracked-and-busted-a-chicago-anon/ They watched his local network with a tap and trace device installed in his computer and correlated it to his IRC activity (which he accessed over Tor). What percentage of those daily users will be online at the specific hour when a message is received from the vendor? 10%, 20%, 50%? Even in the "worst" case scenario for LE, they can exclude half the people on their list every time they receive a message. How many halvings does it take to get down to one person that they can start investigating IRL? Even if they start with a list of 200 people, surprisingly it takes only 9 halvings, which is 9 messages. Unfortunately for them, there is a small percentage of users who stay online all the time (like on IRC), so those people will never be excluded from the list. LE would have to investigate all of them. I should note that it's easy to defend against this attack. Use a VPN or rent a VPS and set up a private bridge. So why hasn't this happened yet? Surely the computer experts that they employ have thought of it. I think SS is right, LE either doesn't care, or it's too inefficient. Maybe the the last leg isn't worth it. ie, they reduce 200 users to 20 or 30 who are always online, but investigating all of them is too much work to bust someone pushing the amounts of drugs that SR vendors push. And if anything I said is remotely true, then you can help vendors by using Tor all the time.