It hasn’t, it’s just that good opsec is impossible in the long run and everyone is bound to be deanonymized eventually. For example, if you’re using a clean account on a CP sharing forum, it’s possible to track your mannerisms and post history (content, timezone, etc) to get an estimate of where you live. Then they can subpoena the ISPs for IP traffic in that region and figure out who is using Tor. That subset of IPs may then be cross referenced with the time that suspect’s account posted, that can be used as probable cause for a warrant… That sort of stuff. Sounds super complicated but most of it can be automated and bypassed these days (I don’t think you actually need to subpoena for example).
Where did the suspect fail? He should have used multiple accounts, spaced out the interactions more randomly, used stolen WiFi, ran his comments through a translator and back, etc. At no point did Tor fail at securing his IP address end to end