Researchers have devised a method that allows large language models (LLMs) to strip anonymity from pseudonymous online accounts at scale for as little as $1.41 per target, using commercially available APIs for the AI systems.
In doing so, the researchers have shown that the assumption of online identities being protected through pseudonymity is no longer particularly robust, as the AI tools can quickly and cheaply identify users through their posts.
A paper, Large-scale online deanonymisation with LLMs, by researchers at the Swiss Federal Institute of Technology ETH Zurich, the Machine Learning Alignment Theory Scholars’ program, and AI vendor Anthropic, describes a pipeline that correctly identifies pseudonymous users with high precision.
The paper points to the surveillance of journalists, dissidents, and activists as a realistic threat.
Hyper-targeted advertising linking anonymous forum posts to customer profiles and personalised social engineering at scale, is another scenario.
Employees relying on pseudonymity for protection could also be unmasked using the researchers’ technique.
Essentially, LLMs are able to pick up on specific pieces of information, such as locations, conferences attended, niche hobbies, job titles and more, to narrow down who the person is likely to be.
For the study, the researchers built a four-stage attack framework they named ESRC: Extract, Search, Reason, and Calibrate.
It works by an LLM first extracting identity-relevant signals from unstructured posts, such as demographics, writing style, incidental disclosures, interests, and linguistic patterns.
Semantic embeddings then search a candidate pool for likely matches, before a second, more capable model reasons over top candidates to verify the best match.
A final calibration stage controls the false positive rate, allowing the attacker to trade off precision against how many users they successfully identify.
The researchers’ approach runs entirely on unstructured text, requiring no structured data, predefined features, or manual effort from skilled investigators.
In the researchers’ testing, the LLM pipeline achieved 45.1 percent recall at 99 per cent precision threshold, when matching Hacker News accounts to LinkedIn profiles across a pool of 89,000 users.
Previous automated methods achieved just 0.1 percent recall at the same precision.
In a separate test linking pseudonymous Reddit accounts across time, the full LLM pipeline identified more than a third of all users at 99 per cent precision.
A partially redacted dataset from Anthropic called Interviewer, published in December last year, was also used for the researchers’ testing.
Here, the LLM pipeline was able to ferret out the identities of nine of the 33 anonymised scientists, drawn from the 1250 interviews in the dataset.
The models used in the pipeline were Grok 4.1 Fast from xAI, GPT-5.2 from OpenAI, and Gemini 3 Flash and Gemini 3 Pro from Google.
No Claude model such as Sonnet or Opus was used for the tests, despite Anthropic researcher Nicholas Carlini acting as an adviser on the paper.
Cheap deanonymising of online users is now possible
The researchers estimate their agentic pipeline costs between $1.41 and $5.64 (US$1-4) per target, using standard commercial AI APIs.
Previous deanonymisation attacks of comparable effectiveness required either structured datasets amenable to algorithmic matching, exploitable technical vulnerabilities, or significant manual effort from skilled investigators reserved for high-value targets.
The pipeline extrapolates to internet-scale datasets with non-trivial success, the researchers say, projecting roughly 35 percent recall at 90 percent precision against a candidate pool of 1 million users.
Future models will bring even greater accuracy and lower cost, the researchers predict.
Guardrails not a reliable defence
The researchers tested commercial LLM safety guardrails during their experiments and found them insufficient to prevent deanonymisation.
In some scenarios the agents declined to assist, but small AI prompt changes circumvented those refusals each time.
The ESRC pipeline also fragments the attack into steps such as summarising profiles, computing embeddings, and ranking candidates.
This step by step approach has the effect of resembling normal, benign usage, making automated misuse detection unreliable.
Open-source models extend the threat beyond commercial API access entirely, the researchers said, because safety guardrails can be stripped out and there is no usage monitoring on open-source deployments.
The researchers suggest rate limits on API data access, automated scraping detection, and bulk data export restrictions as the most practical near-term mitigations, placing the primary burden of response on platforms rather than AI providers.
They stopped short of releasing their pipeline code or processed datasets, citing the risk that doing so would further lower the barrier for malicious actors.
The researchers’ preprint paper has been posted to arXiv and is awaiting peer review.
