It seems possible the timing attack could have been (mostly) <i>outside</i> the Tor network:<p>They seemingly knew the guys Ricochet username, which includes the Tor hidden service ID. Then, they ordered the ISP to monitor connections to Tor entry nodes and monitored when he came online and cross-checked that with the logs from the ISP. The article mentions that once they caught the guard node of his Ricochet client. That might have been when they were sure.<p>I think there was a similar case a long time ago where something similar happened.