What empirical measurements exist quantifying deanonymization success rates against modern Tor clients under different AS‑level adversaries?

1. What the measurements actually quantify — “vulnerable circuits,” not real‑time deanonymization

Key empirical studies frame their results as the proportion of circuits that an AS (or set of ASes) could observe simultaneously or via asymmetric paths, which the authors interpret as vulnerability to traffic‑correlation, rather than direct, empirically observed deanonymizations of real users; the influential 2015 measurement found up to 40% of circuits vulnerable to single AS adversaries, 42% to colluding ASes, and 85% to state‑level adversaries in their experiments ^{[1] [5]}, and the authors stress these are probabilities of exposure, not measured exploit events.

2. Methods matter — RIPE Atlas active probing vs BGP‑update inference

Different empirical pipelines produce different pictures: earlier work relied heavily on BGP route updates and passive data to infer AS paths, while more recent studies deploy active probing via the RIPE Atlas network (11,000+ probes) to measure how packets actually traverse the Internet; the extended 2024 study explicitly contrasts these approaches and applies active measurements for IPv4 and IPv6 across countries to infer deanonymization potential ^{[2] [3]}.

3. Time, location and protocol change the numbers — what recent large studies show

The extended measurement campaign repeated 2020 experiments and added IPv6 and Russia as case studies, reporting that the "overall picture has remained unchanged" in Germany and the U.S., that IPv6 does not present an increased threat relative to IPv4 in their measurements, and that Russian clients in their dataset experienced a comparatively lower risk because the few ASes with deanonymization potential were operated by Western companies ^{[2] [3] [6]}.

4. Concrete mitigation measurements — how much can path‑selection lower vulnerability?

Empirical evaluations of AS‑aware Tor clients and routing heuristics find dramatic reductions in measured vulnerability: the 2015 Astoria work reported reducing vulnerable circuits from up to 40% down to roughly 2% against single AS adversaries and under 5% against colluding ASes, while more recent routing proposals like TOAR report they can "effectively improve anonymity while maintaining communication quality" and minimize anonymity loss from AS‑level adversaries in measured experiments ^{[1] [4]}.

5. Attack modalities and practical caveats — BGP hijacks, asymmetric correlation and simulated traffic

Measurement papers also document attack vectors that can increase success rates beyond passive observation — e.g., experiments and analyses of asymmetric traffic correlation, BGP hijacks/interceptions, and "Trapper" style attacks demonstrate that route manipulation can enable exact deanonymization under lab conditions; many of these results derive from controlled traffic generation or simulated clients to avoid harming real users, meaning they establish feasibility and relative risk rather than report observed, operational deanonymizations in the wild ^{[7] [8]}.

6. Bottom line and evidentiary limits

The empirical corpus provides repeated, methodologically diverse quantifications of "vulnerability" percentages (not real‑time exploited success rates) that depend strongly on user location, AS topology, IPv4 vs IPv6, and whether adversaries collude or manipulate routing; headline numbers to cite are the 2015 finding of up to ~40% vulnerable circuits and the follow‑on demonstrations that AS‑aware path selection can reduce that to single‑digit percentages, while large‑scale active RIPE Atlas measurements from 2020–2023/2024 show a stable ecosystem with a small set of ASes posing outsized risk ^{[1] [2] [3] [4]}. These studies are authoritative about relative risk and mitigation effectiveness but limited in producing a single empirical "success rate" for deanonymization in real operational settings because they measure exposure potential, not the rate of successful, confirmed deanonymizations.