How a tiny Pacific Island became the global capital of cybercrime


via MIT Technology Review https://ift.tt/aGYbTZ4

Tokelau, a necklace of three isolated atolls strung out across the Pacific, is so remote that it was the last place on Earth to be connected to the telephone—only in 1997. 

Just three years later, the islands received a fax with an unlikely business proposal that would change everything.

It was from an early internet entrepreneur from Amsterdam, named Joost Zuurbier. He wanted to manage Tokelau’s country-code top-level domain, or ccTLD—the short string of characters that is tacked onto the end of a URL. 

Up until that moment, Tokelau, formally a territory of New Zealand, didn’t even know it had been assigned a ccTLD. “We discovered the .tk,” remembered Aukusitino Vitale, who at the time was general manager of Teletok, Tokelau’s sole telecom operator. 

Zuurbier said “that he would pay Tokelau a certain amount of money and that Tokelau would allow the domain for his use,” remembers Vitale. It was all a bit of a surprise—but striking a deal with Zuurbier felt like a win-win for Tokelau, which lacked the resources to run its own domain. In the model pioneered by Zuurbier and his company, now named Freenom, users could register a free domain name for a year, in exchange for having advertisements hosted on their websites. If they wanted to get rid of ads, or to keep their website active in the long term, they could pay a fee.

In the succeeding years, tiny Tokelau became an unlikely internet giant—but not in the way it may have hoped. Until recently, its .tk domain had more users than any other country’s: a staggering 25 million. But there has been and still is only one website actually from Tokelau that is registered with the domain: the page for Teletok. Nearly all the others that have used .tk  have been spammers, phishers, and cybercriminals. 

Everyone online has come across a .tk––even if they didn’t realize it. Because .tk addresses were offered for free, unlike most others, Tokelau quickly became the unwitting host to the dark underworld by providing a never-ending supply of domain names that could be weaponized against internet users. Scammers began using .tk websites to do everything from harvesting passwords and payment information to displaying pop-up ads or delivering malware. 

a proliferation of .Tk emails with faces crying exclamation point tears
CHRISSIE ABBOTT

Many experts say that this was inevitable. “The model of giving out free domains just doesn’t work,” says John Levine, a leading expert on cybercrime. “Criminals will take the free ones, throw it away, and take more free ones.” 

Tokelau, which for years was at best only vaguely aware of what was going on with .tk, has ended up tarnished. In tech-savvy circles, many painted Tokelauans with the same brush as their domain’s users or suggested that they were earning handsomely from the .tk disaster. It is hard to quantify the long-term damage to Tokelau, but reputations have an outsize effect for tiny island nations, where even a few thousand dollars’ worth of investment can go far. Now the territory is desperately trying to shake its reputation as the global capital of spam and to finally clean up .tk. Its international standing, and even its sovereignty, may depend on it. 

Meeting modernity

To understand how we got here, you have to go back to the chaotic early years of the internet. In the late ’90s, Tokelau became the second-smallest place to be assigned a domain by the Internet Corporation for Assigned Names and Numbers, or ICANN, a group tasked with maintaining the global internet. 

These domains are the address books that make the internet navigable to its users. While you can create a website without registering a domain name for it, it would be like building a house without an easily findable postal address. Many domains are familiar. The UK has .uk, France .fr, and New Zealand .nz. There are also domains that are not tied to specific countries, such as .com and .net. 

Most countries’ domains are run by low-profile foundations, government agencies, or domestic telecom companies, which usually charge a few dollars to register a domain name. They usually also require some information about who is registering and keep tabs to prevent abuse. 

But Tokelau, with just 1,400 inhabitants, had a problem: it simply didn’t have the money or know-how to run its own domain, explains Tealofi Enosa, who was the head of Teletok for a decade before stepping down in July 2023. “It would not be easy for Tokelau to try and manage or build the local infrastructure,” Enosa says. “The best arrangement is for someone else from outside to manage it, trade it, and bring in money from it.”

This is precisely what Zuurbier, the businessman from Amsterdam, wanted to do. 

Zuurbier had come across Tokelau while chasing the internet’s next big idea. He was convinced that just as people had adopted free email addresses by the millions, the natural next step was for them to have their own free websites. Zuurbier intended to put advertisements on those sites, which could be removed for a small fee. All he needed to turn this billion-dollar idea into reality was a place with a ccTLD that had not yet found a registrar. 

Tokelau—the last corner of the British Empire to be informed about the outbreak of World War I, where regular shortwave radio wasn’t available until the ’70s and most people were yet to even see a website—was the perfect partner. 

Representatives from Tokelau and Zuurbier met in Hawaii in 2001 and put pen to paper on a deal. Quickly, .tk domain names began to pop up as people took advantage of the opportunity to create websites for free. He still had to convince ICANN, which oversees the domain name system, that Tokelau couldn’t host its own servers—one of the criteria for ccTLDs. But Tokelau—which switched off its power at midnight—would still need a reliable internet connection to keep in touch. In 2003 Zuurbier took a grueling 36-hour boat ride from Samoa to Tokelau to install internet routers that he had bought for $50 on eBay. 

Gone was the unreliable dial-up. Tokelau had met modernity. “He provided all the equipment, got all the three atolls connected up, and then he also provided some funding which I used to share with the community,” says Vitale, who established internet cafés that could be used for free by anybody from Tokelau’s four hamlets. 

For the first time, thousands of Tokelauans in New Zealand were able to easily connect with home. “What was important for Tokelau was that we were getting some money that could help the villages,” says Vitale.  Many of the initial sign-ups on .tk were completely innocuous individuals wanting to blog about thoughts and holidays, as well as gaming communities and small businesses. 

Zuurbier sent Teletok regular reports about .tk’s growth, and they indicated that the free-domain model was working better than anybody expected. Tiny Tokelau, which was being paid a small cut of the profits Zuurbier was making, was going global. 

“We were hearing how successful .tk was. We were bigger than China,” says Vitale. “We were surprised, but we didn’t know what it meant for Tokelau. What was more meaningful at the time was that we were getting money to help the villages. We didn’t know about the other side of it then.” 

As the decade wore on, however, it looked to Vitale as if things were beginning to blow off course. “We went in blind,” he says. “We didn’t know how popular it would be.”

Things fall apart

It took until the late 2000s for Vitale to realize that something had gone badly wrong. After problems first arose, Zuurbier invited ministers and advisors from Tokelau to the Netherlands, paid for their flights, and explained the business’s nuts and bolts in an effort to reassure them. They went to watch Samoa play at the Rugby World Cup in France. 

“He [Zuurbier] appeared to be a really nice person,” Vitale remembers. “There was all this nice stuff that felt homely, warm fuzzies.” .Tk had hit the milestone of 1 million domain users. 

But soon after this trip, he says, Zuurbier started falling behind on scheduled payments to Tokelau worth hundreds of thousands of dollars. (MIT Technology Review requested an interview with Zuurbier. He initially accepted but subsequently did not answer the phone or respond to messages.)

Meanwhile, Vitale had begun receiving complaints from concerned members of the “internet community.” He and his peers started to become aware that criminals and other questionable figures had cottoned onto the benefits that registering free domains could bring—providing an almost unlimited supply of websites that could be registered with virtual anonymity. 

“It was obvious from the start that this was not going to turn out well,” says Levine, coauthor of The Internet for Dummies. “The only people who want those domains are crooks.” 

Levine says that .tk had started attracting unsavory characters almost immediately. “The cost of the domain name is tiny compared to everything else that you need to do [to set up a website], so unless you’re doing something weird that actually needs lots of domains—which usually means criminals—then the actual value in free domains is insignificant,”  he says.

What started as techies complaining to Vitale about spamming, malware, and phishing on .tk domains soon turned into more worrisome complaints from the New Zealand administrator tasked with overseeing Tokelau, asking him whether he was aware of who .tk’s users were. Allegations surfaced that .tk websites were being used for pornography. Researchers had found jihadists and the Ku Klux Klan registering .tk websites to promote extremism. Chinese state-backed hackers had been found using .tk websites for espionage campaigns. 

“Satanic stuff” is how Vitale describes it: “There were some activities that were not really aligned with our culture and our Christianity, so that didn’t work very well for Tokelau.” With Zuurbier not replying to worried emails, Vitale moved to unplug him. He opened negotiations with Internet NZ, the registry that runs New Zealand’s squeaky-clean domain, about how Tokelau might be able to wiggle out of its arrangement. He didn’t manage to get an answer before he moved on from Teletok. 

His successor, Enosa, tried to set the relationship on a new footing and signed new deals with Zuurbier on the understanding that he would clean up .tk. However, that never happened. One of Enosa’s final acts as general manager at Teletok, in the summer of 2023, was to reopen negotiations with Internet NZ about how Tokelau might be able to extricate itself from the deal once and for all. 

Meanwhile, most of Tokelau’s residents weren’t even aware of what was happening. Elena Pasilio, a journalist, saw firsthand how much this was hurting her home. When she was studying in New Zealand a few years ago, people—knowing that she was Tokelauan—started to tag her on social media posts complaining about .tk. 

At first, she felt confused; it took time before she even realized that .tk meant Tokelau. “I was really surprised by how many users it had, but then I realized that a lot of people were using .tk to make dodgy websites, and then I felt embarrassed. I was embarrassed because it had our name on it,” Pasilio explains. “It has got our name tangled up there with crimes that people here would not even begin to understand.” 

There is a sense from both Vitale and Enosa that Zuurbier cared little as Tokelau’s reputation was dragged through the mud. “I would argue with Joost,” Enosa says, adding that he would remind him he was the custodian for a legal asset that belonged to Tokelau alone. According to Enosa, he would shoot back: “I built this infrastructure from my own pocket. I spent millions of dollars building it. Do you think that was easy? Do you think that Tokelau can build this kind of infrastructure itself?” 

“I said: ‘Okay. Understood,’” Enosa recalls. “I understood how a white man looks at it. You know? This is how white men look at things. I understand that.” 

Digital colonialism 

What has happened to Tokelau is not unique. The domains of small islands across the Pacific are cited in numerous stories either celebrating dumb luck or complaining of massive abuse. 

Tuvalu has managed to turn .tv into approximately 10% of its annual GDP. Micronesia’s .fm has been pushed heavily at radio stations and podcasters. Tonga’s .to has been favored by torrent and illegal streaming websites. Antigua, in the Caribbean, is heavily marketing its .ai at technology startups. 

But these success stories seem to be the exception. In 2016, the Anti-Phishing Working Group found that alongside .tk and .com, the Australian Cocos Islands (.cc) and Palau (.pw) together represented 75% of all malicious domain registrations. They had been flooded by phishers attacking Chinese financial institutions. The Cocos Islands made headlines in Australia when websites allegedly hosting child sexual abuse images were recently found on its domain. 

Those domains whose names—by linguistic luck—seemed to mean something tended to attract better managers. Sharks seem to have circled around those that did not, or had a market that was less clear. 

While the abuse of Pacific Islands’ domains has waxed and waned over the years, the islands’ tiny size means that even small associations with crime can have damaging consequences. 

“There is a problem in Polynesia,” says Pär Brumark, a Swede who represents the Pacific island of Niue abroad. “You had these internet cowboys running around taking domains everywhere.”

Niue lost control over the domain .nu after it was “stolen” by an American in the late 1990s, Brumark says. Its management was given to the Swedish Internet Foundation—which manages Sweden’s native .se—in a “shady deal” in 2013, he claims. .Nu has been wildly popular in Sweden, as it translates directly to “now.” Niue, which is also linked to New Zealand, is now fighting a David-versus-Goliath battle in the Swedish courts. It is seeking as much as $20 million in lost revenue—almost one year’s worth of Niue’s annual GDP. 

“Digital colonialism,” claims Brumark. “They exploit resources from another country without giving anything back. They have never spoken to the government. They have no permissions. They exploit. Colonialism to me is if you take resources from a country that you do not have the permission to take.” 

But now there may finally be some accountability—at least in the case of Zuurbier. 

In December 2022, courts in the Netherlands found in favor of an investor suing Freenom, the company that managed .tk and four other domains—those of Gabon, Equatorial Guinea, the Central African Republic, and Mali—that were subsequently added to the model it pioneered. The courts found that Freenom had fallen foul of various reporting rules and appointed a supervisory director.

And in March of this year, Meta, which owns Facebook, Instagram, and WhatsApp, also sued Freenom for damages, claiming that sites hosted on .tk and the four African domains were engaging in cybersquatting, phishing, and trademark infringement. Meta provided examples of websites that appeared to be registered at .tk with the express purpose of deceiving users, such as faceb00k.tk, whatsaap.tk, Instaqram.tk. 

In an interview with the Dutch newspaper NRC, Zuurbier denied Meta’s allegations about the “proliferation of cybercrime.” But the Cybercrime Information Center recently reported that “in past years Freenom domains were used for 14% of all phishing attacks worldwide, and Freenom was responsible for 60% of the phishing domains reported in all the ccTLDs in November 2022.” Zuurbier says that Freenom distributed to over 90 trusted organizations, including Meta, an API that allowed them to take down offending sites and that Meta itself failed to continue using it. But many in the tech industry resent what they see as Freenom shifting the cost of policing its domains onto others. 

As of January 2023, it is no longer possible to register a .tk domain. All four African countries—many thousands of times larger than Tokelau—have broken ties with Freenom. Tokelau, which did not seem aware that there were other countries in the same boat, is still trying to figure out what to do next. 

It now looks as if Freenom is essentially finished as a company. But Enosa doesn’t believe that’ll stop Zuurbier from pursuing more shady schemes. “Joost always wins,” he says. 

Shifting tactics

Without access to the unlimited pool of free domain names that were available through .tk and the four other Freenom ccTLDs, many cybercrime groups that relied on them are being forced to adapt. Certain scattergun approaches to spamming and phishing are likely to go out of fashion. “Spammers are fairly rational,” explains Levine, the spam expert. “If the spam is cheap and the domains are free, they can afford to send out a lot of spam even though the likelihood of response is lower. If they actually have to pay for the domains, then they are likely to make it a lot more targeted.” 

“Bad things online require a domain name at some point,” says Carel Bitter, head of data at the Spamhaus Project, which tracks malicious activities online. “You need people to go somewhere to fill in their account details. If you can’t get domains for free, you will have to get them somewhere else.” Analysts have noted upticks in malicious use of cheap “new” generic TLDs such as .xyz, .top, and .live, whose reputations have been wrecked by dodgy dealers. 

While other domains may only cost $1, a drop in the ocean for the largest gangs, the fact that they now need to be purchased may limit the damage, says Bitter: “Any cybercrime business that relies on domain names will have some sort of natural limit that determines how much they can spend on domain names.” Others, though, may seek to compromise existing websites with low security. 

It is likely that “basement” operations—so-called “ankle-biters”—will feel the biggest pinch. “What is possible is that the guys that are just doing it as a dabble won’t want to put the money up, but the professionals are not going away,” says Dave Piscitello, director of research activity at the Cybercrime Information Center. “They will go elsewhere. If you are staging a revolution and the cost of a Kalashnikov goes from $150 to $250, you aren’t going to say ‘Forget it.’ It is the business.” 

An existential issue 

The media sometimes reports that Tokelau makes millions from the use of .tk. Zuurbier himself claims on his LinkedIn that his relationship with Tokelau adds over 10% to the atolls’ GDP. 

“Bullshit,” says Enosa when asked. “That’s a lie.” 

Enosa claims that .tk provided a “very small” proportion of Teletok’s income: “It doesn’t give us good money. .Tk was nothing to my revenue.” 

While the arrival of the internet on Tokelau promised to zip information across the Pacific instantaneously, the islands have remained isolated. Even while I was reporting this story, it took weeks to get in touch with Pasilio and other sources there. Interviews were repeatedly delayed because of the price of data packages. Internet in Tokelau is among the most expensive in the world, and NZ$100 (US$60) worth of data can sometimes last only 24 hours at a time. Phone calls to Tokelau from Europe did not connect. 

“I feel sorry for our Tokelau,” Pasilio says. “We have been taken advantage of. I think people would be shocked if they knew what had been going on with .Tk.” 

Even many Tokelau elders had not fully understood the problem, at least until recently. 

There are other, arguably more existential problems the islands need to deal with, including climate change, emigration, and the atolls’ future relationship with New Zealand. “Our islands are already shrinking as it is, with the sea levels rising,” says Pasilio. She says her father tells her about reefs and sand banks that have sunk beneath the Pacific. “They would rather worry about things that they can see physically and that they know more about, rather than fighting back on this .Tk thing,” she says.

But the issue of the abused .tk domain was recently raised in the General Fono, or Parliament, indicating that the issue had finally broken out of its technical niche and into the wider public. 

Those existential issues facing the islands are not wholly unrelated to .tk. Questions over the future of the domain have arisen at the same time that a debate over Tokelau’s political future has been revived. 

Tokelau is classified by the United Nations as a “non-self-governing territory” under the oversight of the Special Committee on Decolonization. In 2006 and 2007, referenda on whether Tokelau would enter “free association” with New Zealand—a possible stepping stone toward eventual independence—was approved, but not enough of Tokelau’s population voted to meet the turnout threshold. In May 2022, it was decided that another referendum on Tokelau’s future would be held ahead of the centenary of New Zealand rule in 2025.

Repairing Tokelau’s devastated international reputation by cleaning up .tk will be a necessity if the atolls are to make any serious bid for sovereignty. Vitale is now the general manager of Tokelau’s government and wants to see its internet domain make a triumphant return to make it clear that the islands are turning a new page. 

“We are building nationhood here,” he explains. “We are on a pathway toward self-determination. We want to use the .tk as a catalyst to promote our nationhood and be proud of it—our domain name and our identity among the internet community.” 

All of Tokelau’s email and website addresses are currently hosted on New Zealand’s .nz. “What does that mean to people? It means that we are in New Zealand,” says Vitale with a sigh. “We should be selling ourselves as being in Tokelau, because .tk is the domain—the identity—for Tokelau.” 

“When you have people coming to knock on your door with attractive packages,” he adds, “you see it as an opportunity you hook onto—not realizing what the consequences will be further down the road.” 

Comments