The only time LE have demonstrated that they traced hidden services, it was the result of applications being hacked. If you root a hidden service, you can get its IP address, unless you root an environment that is isolated away from external IP address, in which case you would need to break out of the isolation. There are numerous ways they could trace hidden services with pure traffic analysis, but so far they have never revealed that they have actually done this.