Incorrect, hackers can hack you through Tor. Zero days are unpublished exploits that do not have commonly available patches to protect from them. For example, if the attacker is your ISP, and you visit a website hosted by your ISP, and your ISP watches user traffic, they can link you to the website. That is a passive/external attack, because it happens without the involvement of any Tor nodes. An active/internal attack would be if your entry Tor node is owned by the attacker and so is your exit Tor node (or the hidden services entry guard). It works by measuring the time difference between observing a packet at one location on the network and another. A simpler explanation can be given in the context of multiple packets, although a single packet is enough to do this sort of attack (it is just harder to think about). Imagine you send a stream of packets to a website through Tor. The packets look like this leaving you to your entry node: 00000 but since your entry node holds the packets and forwards them on, they can insert a timing difference between the individual packets, sending the first one out then waiting some period of time before sending the second one out. This allows them to create a watermark in the stream. Now, imaging '-' is time delay, the entry node delays sending your packets to the middle node such that the stream of packets through the middle node looks like this: 0---0--0-0----0 now the middle node is good, so it just gets the packets and forwards them on how they came in to the exit node, so now the exit node gets this 0---0--0-0----0 now if the exit node is run by the same attacker who ran your entry node, they can see the watermark they inserted in the stream, they know that the stream is the same one that went through their entry node. They know you sent the stream through their entry node because you connect directly to the entry node. Also, as they are the exit node, they know where the stream is going. So now they have deanonymized you and linked your traffic to its destination. This is a very primitive way in which this sort of attack could be carried out. In reality it works entirely passively and externally, meaning the attacker can simply observe the stream without modifying it, and they can observe it at the ISP level rather than the Tor node level. Also, they only need one packet, not an entire stream. Sort of. An attacker could give you a link to an attack page that exploits a vulnerability in your browser and roots you, and get your real IP that way. That is an advanced sort of attack though, and if you are fully patched up it would require a zero day. Also if you layer security techniques it may require several zero days and some good luck on the part of the attacker. It is more likely that they will try to send you a link to a java applet or flash video that tries to send data back around Tor to deanonymize you, but since the browser bundle this sort of attack is not as realistic.