Sorry for the epic triple post but here is a link to an article about how the feds traced a few tor hidden services with application layer exploits. There are roughly infinite potential application layer exploits that could be used to trace a Tor hidden service, but even if you don't count that class of attack there are plenty in the field of signals intelligence (and at least two in the MASINT field). Is late 2011 recent enough for you? https://www.tmcnet.com/usubmit/-dutch-police-trace-hidden-child-porn-websites-/2011/08/31/5743979.htm