What specific court cases document use of timing or netflow attacks against Tor users?

1. German “Boystown” prosecution: court orders and timing analysis

Reporting by security outlets and summaries of court activity identify the Frankfurt district court (Amtsgericht) as issuing orders that compelled Telefónica (O2) to disclose customer records for connections to covert Tor nodes as part of the investigation that led to the arrest of Andreas G., with German authorities said to have combined node control and timing correlation to deanonymize operators of the Boystown network ^{[1] [2] [3]}.

2. Freedom Hosting / Eric Eoin Marques: relay‑early exploit surfaced in court papers

U.S. court filings and contemporaneous investigative reporting connect an FBI operation that used a browser/exploit-based deanonymization tool—reported as exploiting a Firefox vulnerability and linked to an operation that extracted identifying information from Tor users—to the takedown and prosecution of Freedom Hosting’s operator Eric Eoin Marques; news coverage tied the technical method to a “relay early” traffic-confirmation style attack described in leaked technical materials and court documents ^{[5] [4]}.

3. The CMU “relay early” experiment and academic/tor responses

The Tor Project and associated advisories discuss a relay‑early traffic confirmation attack observed in academic and operational settings (often tied to a Carnegie Mellon–linked incident) where modifying the RELAY_EARLY flag enabled linkage of entrance and exit traffic; Tor’s advisories and blog posts describe the attack’s mechanics, detection, and mitigations, and explicitly connect that pattern to past law‑enforcement‑associated operations revealed in court materials ^{[6] [7] [4]}.

4. Netflow/traffic‑correlation research versus courtroom proof

Academic and Tor Project writeups explain that traffic‑correlation using netflow logs—matching timing and volume patterns collected from routers or ISPs—can deanonymize Tor flows in experiments and that lab work has demonstrated substantial, though not perfect, success rates; the Tor Project has published commentary on a tech report and summarized that netflow correlation is a known threat, while reporting on prosecutions shows investigators combining node control, timing analysis, and ISP subpoenas to produce actionable identifications ^{[8] [9] [1]}.

5. What the court documents actually show — and what remains opaque

Available public reporting and the Tor Project’s own statements indicate courts have been asked to compel ISP records tied to identified Tor relays (e.g., the Frankfurt order) and that U.S. filings around Freedom Hosting referenced technical exploit activity, but direct, fully publicized transcripts or redacted technical exhibits showing raw timing/netflow correlation methods in evidentiary form are sparse in the sources reviewed; the Tor Project and independent experts say the documents “strongly suggest” repeated law‑enforcement timing‑analysis operations, while also noting that some technical details remain undisclosed or redacted in judicial records ^{[2] [7] [4]}.

6. Bottom line and alternative views

The clearest, publicly reported court‑linked instances documenting timing/flow correlation are the German Boystown prosecutions involving a Frankfurt court order and the U.S. Freedom Hosting-related filings tied to the relay‑early exploit, with Tor Project advisories and academic work providing technical context and warning that netflow/timing correlation is feasible under certain conditions; defenders of law enforcement argue these methods target serious criminal networks and rely on lawful process, while privacy advocates and Tor maintain the tactics expose design limits and raise legal and ethical questions about undisclosed technical methods in prosecutions ^{[1] [5] [2] [7]}.