Every country on the internet owns a two-letter suffix that identifies its digital presence on the global internet. For Germany, it is .de, for Japan it is .jp, and for Pakistan it is .pk. These country-code top-level domains, known as ccTLDs, are generally managed by non-profit organizations, academia or local governments as a national infrastructure and meant to serve the citizens of the country.

Since ccTLD domain space is legally tied to national sovereignty, several countries have initiated re-delegation processes over the last decade to streamline internet governance and stewardship of this critical national asset. These countries include Morocco, South Africa, Somalia, and others. Nevertheless, Pakistan’s .pk has always been mismanaged due to significant financial stakes involved since the very beginning and keeping the digital rights of Pakistanis under massive threats.

Geolocation & Digital Soverginty Threats

According to the current IANA delegation record, all .PK ccTLD nameservers are geographically located outside Pakistan. In contrast, many ccTLD managers operate their DNS infrastructure within their own national jurisdictions or use nationally controlled digital infrastructure to strengthen digital sovereignty and ensure that the domain space serves the interests of their local Internet community. This also violates Pakistan’s Personal Data Protection Bill (2023), enforcing localization of personal identity data.

Poor DNSSEC Implementation

Pakistan .pk zone has bad DNSSEC implementation, and therefore the country’s domain namespace lacks a cryptographic chain of trust from the DNS root, making it harder for users and networks to verify that DNS responses are authentic. This increases exposure to risks such as DNS spoofing, cache poisoning, and domain redirection attacks. While DNSSEC does not protect against all cyberattacks, its absence reduces trust in the national digital infrastructure, weakens protection against DNS-based attacks, and may indicate lower maturity in managing critical Internet resources.

The below AP ccTLD DNSSEC status map explains the same grim story.

Weak Domain Registration Process

.PK registration historically relied more heavily on registrar-based information submission, where the accuracy of registrant information depends significantly on the registrar and customer-provided data. PK ccTLD has a weaker registration process compared with other ccTLDs generally, and lacks identity verification, eligibility checks, transparency, and governance controls, rather than the basic ability to register a domain.

Cyber Attacks due to Weak Cybersecurity at .PK CCTLD

In 2020, credentials linked to nearly 2.4 million .pk domain accounts/websites were reported compromised due to malware infections on devices. In February 2013, Pakistan’s .pk ccTLD faced a major cybersecurity incident due to weak cybersecurity controls and became one of the most notable security incidents in Pakistan’s domain name history. The attackers claimed unauthorized access to PKNIC-related systems and reportedly compromised information associated with thousands of domain accounts, while manipulating DNS records that caused several major Pakistani websites related to government, academia, businesses and become inaccessible or redirect.

In May 2025, as per Pakistan National Emergency Response Team (PKCERT), over 180m Pakistani users’ passwords, login credentials stolen in massive data breach, says national cyber security body. Hackers defaced Pakistani institutional websites, including government and education-related domains. Some reports documented many Pakistani websites being compromised during the campaign.

The Unresolved Question

Pakistan has two distinct digital identity problems that intersect in uncomfortable ways. The first is a security problem: its ccTLD registry has demonstrated vulnerability to cyberattacks on a daily basis.

The second is a governance problem: the PK registry has operated without formal accountability to the Pakistani people and has resisted the kind of transparency and modernization that comparable national registries have achieved elsewhere.

A country that cannot say with clarity who controls its internet namespace or hold that controller accountable when things go wrong, has not yet secured its digital infrastructure in any meaningful sense. Pakistan has an emerging internet ecosystem, a growing digital economy, and ambitions for a larger technological role in the region. All of that rests, at the addressing layer, on a .pk registry whose history is contested, whose security record is troubled, and whose governance remains unresolved.

That is not a legacy problem. It is a present one.