Are there documented cases where Tor use alone led to criminal charges or service termination by ISPs?

1. What "Tor use alone" means—and why that distinction matters

The user’s question separates two things: mere use of the Tor client to browse versus operating Tor infrastructure or committing an underlying crime; legal risk profiles differ sharply between those roles. Relay operators assume distinct legal questions because exit traffic can look like it originates from their IP and because actively monitoring or logging traffic can create specific wiretap or disclosure liabilities under U.S. law, according to the Tor Project’s and EFF’s legal guidance for relay operators ^{[1] [2]}. Ordinary Tor users benefit from layered anonymity protections that make attribution harder, but that does not make them immune from investigation when other evidence or technical mistakes appear.

2. Documented law‑enforcement actions tied to relays and mistaken attribution

There are documented incidents where police seized equipment or suspected relay operators because illicit traffic appeared to come from their IP address; the Tor Project and EFF cite multiple examples including a 2016 Seattle police raid on a privacy activist running an exit relay and the Russian arrest of mathematics instructor Dmitry Bogatov, who was later cleared ^{[1] [2]}. Those cases show that operating an exit relay can draw enforcement attention and, in some jurisdictions, lead to raids or arrests—though outcomes vary and some accused operators have been exonerated ^{[1] [2]}.

3. Prosecutions that involved Tor—but not necessarily “Tor use alone”

High‑profile criminal cases connected to Tor usually involve identification of criminal content or operational compromises, not prosecution for mere use of the network. Wikipedia’s Tor history notes instances where flaws in client software or associated applications (for example, a Flash exploit) exposed user IPs and led to prosecutions in child‑exploitation investigations; these prosecutions targeted underlying criminal acts revealed through deanonymization, not the abstract act of running Tor ^[3]. Similarly, reporting on federal child‑pornography cases references arrests and searches tied to alleged receipt or distribution of illegal material via Tor, indicating prosecutions are for the underlying offense rather than for using Tor itself ^[6].

4. ISPs: threats, scrutiny, and the thin public record on outright terminations

Consumer ISPs can see that a customer is using Tor and may treat that activity as suspicious, particularly if the user is unique in their area, which can increase scrutiny ^[5]. Public reporting records threats by ISPs like Comcast that they would cut service to customers using Tor, but comprehensive public evidence of systematic service terminations solely for Tor use is sparse in the provided sources ^[4]. Forum posts and security commentary also note that running relay software may violate consumer ISP terms (servers or services), creating business‑plan or subscription conflicts, but such reports are anecdotal or advisory rather than formal legal findings ^[7].

5. Bottom line, caveats, and where the record is thin

The documents and reporting provided establish that running Tor relays can lead to raids, seizures, arrests, and legal exposure—especially if an operator logs traffic or if law enforcement misattributes exit traffic—and that Tor users can be deanonymized by exploits and then prosecuted for unrelated crimes revealed by that deanonymization ^{[1] [2] [3] [6]}. They do not, however, present a clear, documented pattern of prosecutions for mere, law‑abiding use of the Tor client alone or widespread ISP disconnections purely for Tor usage; available sources are explicit about legal uncertainties and advise caution, and they highlight factual gaps across jurisdictions ^{[1] [2] [5]}. Where precise, jurisdiction‑level records of prosecutions or termination notices are required, the current reporting is limited and would require further case‑by‑case legal research.