A. Make a fake website that looks like a news website of some sort. I could just spider out a legitimate website and change the branding, and register a legit sounding domain name. The news article will be relevant to SR and will link to yet another URL that claims to have a .pdf that has leaked with information on SR. The PDF will phone home as soon as it is opened, and give a list of all of the IP addresses of those who opened it without proper countermeasures. The entire time I will be running a script to check the who is online section of the forum and who all has visited the thread versus the non Tor IP addresses seen downloading the PDF. Any found IP address can immediately be narrowed to the crowd size of users who viewed the thread, I could also attempt various strategies to narrow further on who the IP address belongs to, perhaps I could DDOS it on a few occasions while monitoring who is online and see if I can cause a pattern in knocking someone off of SR (this will be even easier to do if they happen to visit the SILC channel). Perhaps I can monitor if you continually browsed SR after viewing that thread or if you had a pause that is consistent with someone switching their focus to the news article and downloading and reading the fake PDF. The timing between when you view the thread and when you open the PDF will also be useful for narrowing in on you. Perhaps you are a vendor and I know where you ship from, and I can geoposition all of the non-tor IP addresses well enough to leave you as the only suspect . B. Do the same thing as above but using a link to a flash video. The moral of the story is make sure you protect yourself from these simple proxy bypass attacks, I am willing to bet that at least some people here open PDFs without having a fully isolated OS or being behind a transparent proxy or opening it in a restricted VM or having proper firewall rules or access controls. I also imagine several have flash enabled. I could probably also do the news thing and a lot of people would probably infact visit the article without even using Tor, I have seen several people here indicate that they use a different browser that isn't behind Tor to open clearnet links that they find on SR. edit: Hm actually this would work better against a private forum since anonymous viewing is allowed here. That would make this attack less easy to carry out but not impossible, it would introduce some noise but probably wouldn't make it impossible to deanonymize at least some of the people who open the PDF (they would just need to be logged in when they go to the thread, although just intel on IP addresses could be useful if coupled with knowledge of vendors shipping locations). If I owned the SR server I could do some additional things as well, if any real IP addresses visit the news site I could compare their browser fingerprint to the browser fingerprints of SR users and attempt to further narrow the crowds based on this or find a correlation. I could also very quickly link IP addresses to pseudonyms with the DDOS / who is online monitoring technique, since I would quickly be able to see if any latency patterns arise in pseudonymous users streams after I DDOS the suspect IP address. Ohhh I could also do that new remote website fingerprinting attack against the identified IP addresses over a long period of time, and compare the times they are detected as browsing SR forum to the who is online list and intersect the resulting crowds. That would probably be the best technique to link an IP address to its SR pseudonym. Of course you would need to not be taking proper countermeasures with PDFs first....but I bet that is true for many of you.