This work addresses a critical privacy threat posed by large language models (LLMs), which can exploit writing style to perform large-scale author de-anonymization on ostensibly anonymous documents—such as those in double-blind peer review. To counter this risk, the paper introduces DAS, a novel method that integrates LLMs with a tournament-style iterative selection mechanism. DAS efficiently identifies documents sharing the same author among tens of thousands of candidates through dense retrieval pre-filtering, multi-round prompting-based screening, and voting-based aggregation. Evaluated on anonymized peer-review data as well as standard benchmarks (Enron and blog corpora), DAS substantially outperforms existing approaches, achieving breakthroughs in both accuracy and scalability. The results reveal a previously underappreciated de-anonymization vulnerability driven by the stylistic sensitivity of modern LLMs.

As LLMs rapidly advance and enter real-world use, their privacy implications are increasingly important. We study an authorship de-anonymization threat: using LLMs to link anonymous documents to their authors, potentially compromising settings such as double-blind peer review. We propose De-Anonymization at Scale (DAS), a large language model-based method for attributing authorship among tens of thousands of candidate texts. DAS uses a sequential progression strategy: it randomly partitions the candidate corpus into fixed-size groups, prompts an LLM to select the text most likely written by the same author as a query text, and iteratively re-queries the surviving candidates to produce a ranked top-k list. To make this practical at scale, DAS adds a dense-retrieval prefilter to shrink the search space and a majority-voting style aggregation over multiple independent runs to improve robustness and ranking precision. Experiments on anonymized review data show DAS can recover same-author texts from pools of tens of thousands with accuracy well above chance, demonstrating a realistic privacy risk for anonymous platforms. On standard authorship benchmarks (Enron emails and blog posts), DAS also improves both accuracy and scalability over prior approaches, highlighting a new LLM-enabled de-anonymization vulnerability.