Share

How a tiny Pacific Island became the global capital of cybercrime

It was from an early internet entrepreneur from Amsterdam, named Joost Zuurbier. He wanted to manage Tokelau’s country-code top-level domain, or ccTLD—the short string of characters that is tacked onto the end of a URL. 

Up until that moment, Tokelau, formally a territory of New Zealand, didn’t even know it had been assigned a ccTLD. “We discovered the .tk,” remembered Aukusitino Vitale, who at the time was general manager of Teletok, Tokelau’s sole telecom operator. 

Zuurbier said “that he would pay Tokelau a certain amount of money and that Tokelau would allow the domain for his use,” remembers Vitale. It was all a bit of a surprise—but striking a deal with Zuurbier felt like a win-win for Tokelau, which lacked the resources to run its own domain. In the model pioneered by Zuurbier and his company, now named Freenom, users could register a free domain name for a year, in exchange for having advertisements hosted on their websites. If they wanted to get rid of ads, or to keep their website active in the long term, they could pay a fee.

In the succeeding years, tiny Tokelau became an unlikely internet giant—but not in the way it may have hoped. Until recently, its .tk domain had more users than any other country’s: a staggering 25 million. But there has been and still is only one website actually from Tokelau that is registered with the domain: the page for Teletok. Nearly all the others that have used .tk  have been spammers, phishers, and cybercriminals. 

Everyone online has come across a .tk––even if they didn’t realize it. Because .tk addresses were offered for free, unlike most others, Tokelau quickly became the unwitting host to the dark underworld by providing a never-ending supply of domain names that could be weaponized against internet users. Scammers began using .tk websites to do everything from harvesting passwords and payment information to displaying pop-up ads or delivering malware. 

a proliferation of .Tk emails with faces crying exclamation point tears

Many experts say that this was inevitable. “The model of giving out free domains just doesn’t work,” says John Levine, a leading expert on cybercrime. “Criminals will take the free ones, throw it away, and take more free ones.” 

Tokelau, which for years was at best only vaguely aware of what was going on with .tk, has ended up tarnished. In tech-savvy circles, many painted Tokelauans with the same brush as their domain’s users or suggested that they were earning handsomely from the .tk disaster. It is hard to quantify the long-term damage to Tokelau, but reputations have an outsize effect for tiny island nations, where even a few thousand dollars’ worth of investment can go far. Now the territory is desperately trying to shake its reputation as the global capital of spam and to finally clean up .tk. Its international standing, and even its sovereignty, may depend on it. 

Meeting modernity

To understand how we got here, you have to go back to the chaotic early years of the internet. In the late ’90s, Tokelau became the second-smallest place to be assigned a domain by the Internet Corporation for Assigned Names and Numbers, or ICANN, a group tasked with maintaining the global internet.