Free and unregistered VPN services have become a “major cybersecurity threat” to Pakistan, exposing citizens to hacking, data theft, foreign surveillance and online crime, according to officials and cybersecurity experts.
Calls are growing for the government and the Pakistan Telecommunication Authority (PTA) to enforce a complete ban on all unregistered and unsafe VPNs, allowing usage only through licensed and security-vetted providers.
The warning comes amid rising concerns about cybercrime networks and foreign intelligence exploiting loopholes in Pakistan’s digital landscape.
Unsafe VPNs exploited by hackers, anti-state actors
Officials say free VPNs secretly log and sell user data, weakening public privacy and financial safety. Unregistered VPNs are also being used by hackers, scammers and anti-state networks operating anonymously across social media platforms.
Authorities warn that such unsafe VPN apps expose citizens to malware, ransomware attacks and surveillance by foreign servers.
Cybersecurity analysts argue that to protect national digital infrastructure, the government must block all free and unregistered VPN IPs and ensure that only licensed, compliant VPN services remain operational.
Violators using unauthorized VPNs may face penalties, service suspension or investigation, they warn. Businesses operating on unregistered VPNs also risk legal and operational consequences, including data leaks and regulatory action.
International models restricting unauthorised VPNs
Countries, including India, UAE, Saudi Arabia and Bangladesh, have already imposed VPN restrictions as part of their national-security policies. Officials say Pakistan must adopt similar frameworks to prevent misuse of encrypted traffic and ensure compliance with cyber laws.
Secure, licensed VPNs, they emphasize, are essential for protecting privacy, financial data and national security, and for maintaining trust in Pakistan’s digital economy.
Licensing secure VPN providers
On November 13, the PTA formally started licensing Virtual Private Network (VPN) service providers under the reinstated Class Value Added Services (CVAS-Data) regulatory framework.
The step aims to establish a regulated ecosystem for lawful VPN usage while ensuring data protection and compliance with national standards. The PTA has already granted Class Licenses to several companies, including:
- Alpha 3 Cubic (Pvt.) Ltd. — Steer Lucid
- Zettabyte (Pvt.) Ltd. — Crest VPN
- Nexilium Tech (SMC-Pvt.) Ltd. — Kestrel VPN
- UKI Conic Solutions (SMC-Pvt.) Ltd. — QuiXure VPN
- Vision Tech 360 (Pvt.) Ltd. — Kryptonyme VPN
These licensed providers are authorized to offer secure VPN services to individuals and organizations for legitimate, lawful purposes.
VPN misuse linked to terrorist activities: Talal
Speaking outside the Election Commission of Pakistan on Tuesday, Minister of State for Interior Talal Chaudhry said that terrorist groups use VPNs to access social media applications anonymously. He asserted that the government is not taking any steps that would negatively impact the IT sector.
“IT companies should continue using registered VPNs to ensure compliance. VPNs are being widely used by terrorists to access social media apps, and the ministry has registered these apps as VPN to regulate and track usage,” he stated.
Chaudhry stressed that proper registration is crucial to prevent misuse of encrypted online tools by hostile actors.
