Yes there are confirmed cases.
In the Snowden documents from way back in the day, NSA says they can deanonymize a small amount of users.
There was a case that is always talked about in which some pedophile who was using Tails got hacked by the feds + facebook, which resulted in leaking his ip address. But I suppose that does not count for what you are looking for, since the criminal got hacked.
There was a more recent case of the Europeans using some compromised tor nodes + exploiting some sort of insecure chat software to deanonymize another pedophile. I do not remember the details. I do not think they caught him with malware that time.
I am too lazy to look up citations for any of this, but if you do some research it becomes obvious that yes, there have been confirmed cases. Despite it all, however, tor is still by far the best option probabilistically. It is not a magic bullet though.
edit- see
https://cyberinsider.com/tor-project-reassures-users-amid-claims-of-de-anonymization-attack/
for information on the recent pedophile case.