Pseudonymization Is No Longer a Safe Haven. LLMs Are Changing the Rules.

The findings are based on experiments correlating specific individuals with accounts or posts across multiple social platforms. The success rate is significantly higher than classic deanonymization work, which relied on human researchers building structured datasets for algorithmic matching, or the manual work of specialized investigators.

The team built a four-phase automated pipeline — called ESRC (Extract, Search, Reason, Calibrate) — capable of matching pseudonymous accounts to real profiles with up to 90% precision and up to 68% recall.

In the main test, the system correctly linked 67% of Hacker News users to their real LinkedIn profiles, starting from a pool of 89,000 candidates, after removing all direct identifiers.

THE COST: $1 TO $4 PER TARGET

The entire test operation cost less than $2,000, with a per-account identification cost between $1.41 and $5.64 (approximately $1–4) using standard commercial APIs.

Comparably effective deanonymization attacks previously required structured datasets suitable for algorithmic matching, exploitable technical vulnerabilities, or significant manual work by specialized investigators reserved for high-value targets.

Projecting the results to internet scale, the system achieves 35% recall with 90% precision on a pool of one million users.

A partially anonymized Anthropic dataset called Interviewer — published the previous December — was used for further testing. In this case, the pipeline successfully identified 9 of 33 anonymized scientists, drawn from 1,250 interviews in the dataset.

The models used in the pipeline were xAI's Grok 4.1 Fast, OpenAI's GPT-5.2, Google's Gemini 3 Flash and Gemini 3 Pro. No Claude models — such as Sonnet or Opus — were used in the tests, despite Anthropic researcher Nicholas Carlini serving as a consultant on the paper.

LLM SAFETY GUARDRAILS ARE NOT A RELIABLE DEFENSE

The researchers tested the safety guardrails of commercial LLMs during their experiments and found them insufficient to prevent deanonymization. In some scenarios, models refused to cooperate, but small prompt modifications bypassed those refusals every time.

The ESRC pipeline also fragments the attack into steps such as profile summarization, embedding computation, and candidate classification. This step-by-step approach produces a sequence resembling normal, innocuous usage, making automated abuse detection unreliable.

Open source models extend the threat beyond commercial API access, the researchers state, since safety guardrails can be removed and there is no usage monitoring in open source deployments.

The researchers add: increasing the model's reasoning effort improves deanonymization performance, implying that as frontier models become more capable, the attack could become even more effective by default.

WHO IS AT RISK AND MALICIOUS USE SCENARIOS

The paper outlines realistic abuse scenarios: surveillance of journalists, dissidents and activists; hyper-personalized advertising linking anonymous forum posts to customer profiles; personalized social engineering at scale; deanonymization of employees who rely on pseudonymity for protection.

Lead researcher Daniel Paleka stated he was surprised by "how little information is needed to link two accounts."

Co-researcher Simon Lermen wrote in a Substack post: "Ask yourself: could a team of smart investigators figure out who you are from your posts? If yes, LLM agents can probably do the same, and the cost of doing so is only going to drop."

Paleka added that deanonymization capability scales predictably with model improvements, though he noted that better safety guardrails could alter this trajectory: "If model makers improve guardrails to block deanonymization, models could refuse to deanonymize more, and therefore the overall deanonymization capability will be lower."

PROPOSED MITIGATIONS

The researchers propose as the most practical short-term mitigations: rate limits on API data access, robust detection of automated scraping, and restrictions on bulk data export — placing the primary response burden on platforms rather than AI providers.

They also highlight practical measures for individual users: limiting what is published publicly and regularly deleting old content to reduce residual identifiers.

The researchers refrained from releasing the pipeline code or processed datasets, citing the risk that doing so would further lower the barrier to entry for malicious actors. The preprint paper was published on arXiv (arXiv:2602.16800) and is awaiting peer review.

The Regulatory Problem: GDPR Rests on Assumptions That AI Is Undermining

GDPR Recital 26 states, in substance, that personal data are not considered as such if the re-identification process "would require disproportionate and unreasonable effort." This notion — what Anglo-Saxon doctrine calls practical obscurity — is exactly what this study challenges.

"Practical obscurity" — the idea that pseudonymous, dispersed posts were safe because linking them was too costly — may no longer hold.

The compliance consequences are immediate:

• Art. 4(5)GDPR — Pseudonymization. Those using pseudonymization as a security measure under Art. 32 GDPR must reassess whether this measure is still adequate to the concrete risk. An LLM pipeline costing a few dollars per target is now accessible to anyone.
• Art. 25GDPR — Privacy by Design. System design relying on pseudonymization as the primary safeguard must account for the new threat. The residual risk changes.
• Art. 35GDPR — DPIA. Any processing involving public data collection, profiling or large-scale research must update the impact assessment incorporating this risk category. Attack scenarios now include low-cost agentic LLM tools.

The Invisible Risk: The Pipeline Looks Innocuous

This is perhaps the most insidious part. The pipeline is composed of individually innocuous steps: summarizing texts, generating embeddings, classifying candidates and reasoning about results. No single component appears inherently malicious, making detection through conventional safeguards difficult.

In other words: abuse monitoring systems — including those of platforms and LLM providers — struggle to distinguish this type of attack from ordinary use.

The researchers tested the safety guardrails of commercial LLMs and found them insufficient. In some scenarios models refused to cooperate, but small prompt modifications bypassed those refusals every time.

This article is for informational purposes and does not constitute legal advice. The positions expressed reflect Tomato Blue RegTech's analysis. For specific assessments, consult a qualified professional. © 2026 Tomato Blue.