Was just a matter of time
I wonder how many millions or how many hundreds of thousands are burned now.
Probably what happened to help the statistical analyses thingies was coercing known and likely/suspected TOR users under some ruse or legit warrant to hand over their password. Then, after seizing their equipment, they probably impersonated said person for weeks on the user's own network and an agency shadow network while they had the subject in quarantine. Then, they compare paths, hops, latencies, fingerprints of the files, the embedded attachments and other content, then map the possible paths against replies and reply fingerprints.
Somewhere in all this probably are tens of thousands of AT&T, Cox, Comcast, Sprint, etc., others' hardware that secretly are NOT stripping off the headers in the routers (in 95, network classes taught that routers stripped out what wasn't for them, and did handshaking and such to enhance the quality of service and so on, but, hey, what if a backdoor since then came into existence to dump checksums of traffic, even embedded, hidden messages?), and forwarding checksums.
OK, I'm pulling all this out of my ass as fast as I can type, and I am not a SysAdmin of any merit. I just wing/ponder stuff as if fitting into a hopper for possible use in a movie script. Of course, before making such a suggestion in dialogue, real analysts might have to ponder it -- then worry about the risks of doing so under pre-delivered NSLs, hmmmmm...