How a Tiny Pacific Island Became the Global Capital of Cybercrime

Despite having a population of just 1,400, until recently, Tokelau's .tk domain had more users than any other country. Here's why: Tokelau, a necklace of three isolated atolls strung out across the Pacific, is so remote that it was the last place on Earth to be connected to the telephone-- only in 1997. Just three years later, the islands received a fax with an unlikely business proposal that would change everything. It was from an early internet entrepreneur from Amsterdam, named Joost Zuurbier. He wanted to manage Tokelau's country-code top-level domain, or ccTLD -- the short string of characters that is tacked onto the end of a URL. Up until that moment, Tokelau, formally a territory of New Zealand, didn't even know it had been assigned a ccTLD. "We discovered the .tk," remembered Aukusitino Vitale, who at the time was general manager of Teletok, Tokelau's sole telecom operator.

Zuurbier said "that he would pay Tokelau a certain amount of money and that Tokelau would allow the domain for his use," remembers Vitale. It was all a bit of a surprise -- but striking a deal with Zuurbier felt like a win-win for Tokelau, which lacked the resources to run its own domain. In the model pioneered by Zuurbier and his company, now named Freenom, users could register a free domain name for a year, in exchange for having advertisements hosted on their websites. If they wanted to get rid of ads, or to keep their website active in the long term, they could pay a fee.

In the succeeding years, tiny Tokelau became an unlikely internet giant -- but not in the way it may have hoped. Until recently, its .tk domain had more users than any other country's: a staggering 25 million. But there has been and still is only one website actually from Tokelau that is registered with the domain: the page for Teletok. Nearly all the others that have used .tk have been spammers, phishers, and cybercriminals. Everyone online has come across a .tk -- even if they didn't realize it. Because .tk addresses were offered for free, unlike most others, Tokelau quickly became the unwitting host to the dark underworld by providing a never-ending supply of domain names that could be weaponized against internet users. Scammers began using .tk websites to do everything from harvesting passwords and payment information to displaying pop-up ads or delivering malware.

Re:Tik tok

[Eunomion]

Never heard of it.

Easy to block

[flyingfsck]

It is good if the primary use is junk - just block the whole TLD.

Tiny Island, Big Troubles

[Press2ToContinue]

Ah, the classic 'If you build it, they will spam' scenario. Who knew a tiny island could turn into a digital Atlantis for cyber ne'er-do-wells? It's like finding out your quaint country cottage is actually the Death Star of data theft. Maybe Tokelau's national anthem should be 'Never Gonna Give You Up' because let's face it, we've all been Rickrolled by a .tk at some point. And who would've thought 'Fax me, maybe?' would lead to such an epic plot twist in the saga of cybercrime. Guess they faxed their way into the heart of the internet underworld. If only they'd used that fax to send memes instead, the world would be a better place. (._.)

Easy example of bad policy

[Improv]

This is an easy example of how badly the TLD policies were drafted/managed. Tech people making decisions like this is a continual experiment in governance, except nobody ever learns from the mistakes because they don't realise it is governance.

The misuse of .tv and explosion of TLDs more or less mirrors all the junk that's made its way into Unicode because nobody ever had the standing and sense combined to say "no" and stick to it.

eh

[Anonymous Coward]

Country-level TLDs have been around forever and the original intent of .com etc. was for US businesses. Are you proposing to take away ".tv" and other country TLDs because you don't like the way countries are running their domain name systems?

Unicode is a shitshow anyway, the whole point of Unicode was that you could just see a string of characters and render it without needing different fonts. Then they decided to "unify" the Asian alphabets which is as ridiculous as saying "well, these Russian characters

Re: eh

[peppepz]

Han unification was needed because otherwise East Asian characters alone wouldn't have fitted into the 16-bit space that Unicode was in the late 80s. Enabling the creation of a single font for Thai and Egyptian Hieroglyphs was never a design goal.

Country based names

[Retired Chemist]

This just shows the total folly of having country-based names. They should be limited to the official use of the nation in question. Everything else should use general endings like .com and so on. The whole point of the internet is that it should not matter where you are. Even if this was not being abused, it is useless and unnecessary.

Re:

[RitchCraft]

Oh I don't know, it seems alright. Every culture is different. I'm sure that sex.us varies wildly from sex.br, sex.sa, or even sex.va.

Re:

[Improv]

There's a long history of things like .ac.co.uk - there's nothing wrong with including country names. They just should have at least something to do with the country involved - none of this "I will use the .tv TLD to talk about tv shows that have nothing to do with the country of Tuvalu"

Re:

[sarren1901]

I get it but how do you not expect someone to want to do something with .tv? For fun one link chuckle, check out landof.tv

Re:

[93 Escort Wagon]

If all the governments of the world somehow all agreed to that policy - I expect people would then start screaming bloody murder about censorship, government overreach, etc. etc.

Re:

[Improv]

ICANN should've insisted on it. Would not have even involved governments.

Re: Country based names

[peppepz]

It's not country-based, it's authority-based. The rule was simple: whoever is before a dot in a domain name manages whatever can come after the dot. So you can have people managing .org domain names under the .org rules, other people managing the .edu domain names under the .edu rules, and so on. As a subset of this scheme, each country was given its own authority that they could manage independently of other countries. It's actually very sensible, and it doesn't mean in any way that, say, a German company

something about the South Pacific

[Virtucon]

I'm old enough to remember a big fat guy who set something up called Mega, has anybody heard of either of them lately?

Life imitates art

[AlanObject]

Wasn't this scenario pretty much acted out in Neal Stephenson's book Cryptonomicon [wikipedia.org]? The Sultanate of Kinakuta.

Stephenson's books are infuriatingly digressive and incoherent at times but he does seem to be plugged into the culture pretty well.

Read this before - in Dutch

[Incadenza]

I hope they’re paying the writers of the original Dutch article: https://www.nrc.nl/nieuws/2023... [www.nrc.nl]