Hypothetical Algorithm for De-anonymizing Tor Users who use Exit Nodes to view Clear-net resources.

Approximate stats: 6000 Total Relays, 1000 total exit nodes

6000 C 3 = 3.5982002 E10

So that's 35.9 Billion possible three node combinations/path selections.

Here is a possible type of attack, or analysis method. I would model all three node paths for travel time, or just model / send ping packets through each of the 36 Billion paths and make a lookup table of travel times. Then if you have all entry and exit nodes monitored (which they don't) then you could use this lookup table and compare it to what you see in real life. This will rule out certain paths.

Say that Joe is an important person who uses Tor, and all of Joe's outbound connections have been placed under surveillance. Joe connects at node A at time t0, and simultaneously within a 5 second window traffic emerges at 1000 distinct exit nodes and was observed. Calculate the time difference between these connections, and compare with the lookup table values that contain these entry and exit nodes. This will weed out several of the possible paths. So say the empirical travel time / delay time to these 1000 nodes from node A ranges from 100ms to 400ms, then you can cross off all paths with node A and the exit node (in the lookup tables) that are greater than 400ms from your ping tests, and less than 100ms and come to a smaller subset of 3 node paths.

Form there examine (from your listening posts) if any of those potential 3 node paths matches connections between node A and the remaining possible exit nodes. Namely look at all of Node A's connections in that time window and compare this to the remaining paths in the lookup table. That will give an even smaller subset of paths to examine.

At that point you could calculate probabilities of the path selections being correct and rank them by the most probable. Seems like a lot of work but with only 34 Billion possible paths this seems tractable for a super-computing cluster.