blah why even waste my time to argue with your stupid ass what the fuck is an RV even for starters, you use a lot of acronyms that I have never heard before , and you brute force the hidden service to make it open a ton of circuits and your nodes will be used on some of them, and the attack is still entirely feasible against the network, you are the one who has no idea what you are talking about so fuck off calling it a silly theory lol you are the silly one to try to argue about things you have zero understanding of edit: looked up rv, you might want to just say rendezvous instead of use terminology that is not ever used in any of the literature and you of course are not understanding how this attack works. Yes my Tor client opens a circuit to a rendezvous point when it communicates with the Tor hidden service. Yes. The hidden service also opens a circuit to the rendezvous. A hidden service opens a new circuit for every single client that connects to it. A malicious client can make a hidden service open as many new circuits as it wants to as many rendezvous nodes as it wants. The hidden service uses new nodes for its circuits. If the malicious client that forces it to open arbitrary circuits has some nodes on the network, eventually the hidden service is going to use those nodes on its path to the rendezvous. Now the malicious client sends the hidden service packets with self created timing delay pattern and at its malicious nodes it looks for this pattern to identify traffic that is being routed to the hidden service from the malicious client. Doing this for long enough (not that long) traces the fucking hidden service as soon as the first node the actual server sends data to is owned by the attacker. Tor sort of tried to fix this by adding entry guards, nodes that Tor always tries to enter traffic through if they are up selected from a much smaller pool of randomly selected nodes (3 randomly selected nodes from the total list of nodes with the entry flag, changed every 30 to 60 days by default). Unfortunately this attack is still perfectly fucking fine for tracing the hidden service to its entry guards at which point a simple trap and trace order (with a MLAT if required) is enough to deanonymize the hidden service. Please try to read the fucking paper before making me waste my time to type an abstract of it