The attacker sends satoshi to a used but empty address. The receiver then aggregates those satoshi to a new address by making a payment. At that point the old address and the new one are "linked" and the attacker can, with methods of chain analysis, try to trace your identity, having discovered, however, that you also have control of the old address.
this bold part is misleading because nobody can "trace your identity" this way, specially not by using blockchain analysis alone. all they can do is linking the different addresses if they weren't linked before only when the user consolidates the inputs in one transaction. and an address is not revealing the identity of the user on its own.