On the morning of January 23, 2026, human rights lawyer Imaan Zainab Mazari-Hazir and her husband Hadi Ali Chattha were travelling to the Islamabad High Court in a vehicle provided by the Islamabad High Court Bar Association to attend a scheduled hearing when police intercepted their car in Islamabad and placed them under arrest.
The detention came despite the couple having secured temporary relief from arrest earlier from the high court in connection with a case related to their social media activity. Authorities invoked previously registered first information reports (FIRs) and took them into custody before they could reach the court.
Within a day, a sessions court sentenced the two lawyers to a combined 17 years in prison under multiple provisions of the Prevention of Electronic Crimes Act 2016 (Peca) linked to posts on the social media platform X. Court proceedings were conducted through video link, while the couple remained in custody, and the verdict was announced shortly afterward.
Reacting to the case, Imaan Mazari’s mother and former federal minister Shireen Mazari tells Eos that the experience has raised serious concerns about how cybercrime laws are being enforced.
“It has certainly alerted me more to the dangers of abuse inherent in the present digital justice system, not only in the actual clauses of the law but also the proclivity to misinterpretation of the law itself,” she says. “The whole exposé of the Blasphemy Business Group [BBG], which has been operating in connivance with some National Cyber Crime Investigation Agency officers, has revealed the abuse of this law most starkly.”
While authorities claim that the newly created National Cyber Crime Investigation Agency (NCCIA) is ‘modernising digital law enforcement’, critics argue the system is increasingly being used to police online speech rather than combat cybercrime. Official data and recent cases raise questions about the system’s steep procedural drop-offs, institutional turmoil and how Pakistan’s cybercrime laws are enforced
In May 2024, the federal government created the National Cyber Crime Investigation Agency (NCCIA), replacing the Cybercrime Wing of the Federal Investigation Agency (FIA). The new agency was established under Section 51 of Peca, with nationwide jurisdiction to investigate digital offences. All ongoing cases and staff from the FIA’s Cybercrime Wing were transferred to the new body.
The move was presented as a major structural reform aimed at modernising Pakistan’s response to rapidly growing online crimes, including financial fraud, digital harassment, identity theft, child exploitation, hacking and cyber-enabled scams. Authorities had argued that a dedicated agency would improve investigative focus, enhance digital forensic capacity, speed up case processing and strengthen prosecution under cybercrime laws.
LOOKING AT THE NUMBERS
According to official data obtained through a right to information (RTI) request, the NCCIA received 94,552 complaints nationwide during the nine-month period (April-December 2025) under review in the research conducted for this article.
Of these, 21,260 complaints were converted into formal inquiries, meaning only 22.49 percent moved beyond the initial screening stage, while nearly 77.5 percent did not proceed to inquiry.
From the inquiries initiated, 1,440 FIRs were registered across the country. This represents 1.52 percent of total complaints and 6.77 percent of the inquiries conducted, indicating a significant filtering process between the initial complaint stage and the formal registration of criminal cases.
Further along the prosecution chain, 651 challans were submitted in courts. While this accounts for 45.2 percent of the FIRs registered, it amounts to only 0.69 percent of the total complaints received.
The final stage convictions present an even sharper drop. Only 20 convictions were secured nationwide during the period under review. This translates to 0.021 percent of total complaints, 1.39 percent of FIRs and 3.07 percent of challans submitted in courts. The steep decline at each stage from complaint to inquiry, inquiry to FIR, FIR to challan and ultimately conviction highlights the challenges involved in converting cybercrime complaints into successful prosecutions.
Provincial data also reveals stark disparities in reporting and enforcement. Punjab accounted for 63,831 complaints, representing 67.54 percent of the national total. Sindh followed with 18,067 complaints (19.11 percent), while Khyber Pakhtunkhwa (KP) recorded 10,520 complaints (11.13 percent) and Balochistan 2,134 complaints (2.26 percent).
Punjab also recorded the highest number of FIR registrations, with 1,125 FIRs, 78.1 percent of all FIRs registered nationwide. Sindh recorded 162 FIRs (11.25 percent), KP 121 (8.4 percent), and Balochistan 32 (2.22 percent).
In terms of convictions, Punjab secured 12 of the 20 convictions nationwide (60 percent). Sindh and KP recorded three convictions each, while Balochistan secured two. District-level figures show that complaints are heavily concentrated in major urban centres. Lahore reported the highest number with 19,854 complaints, followed by Karachi with 10,020 complaints. Rawalpindi recorded 9,068 complaints, while Faisalabad (5,571), Multan (4,910) and Gujranwala (4,706) also featured prominently.
In Sindh, Hyderabad recorded 2,091 complaints, while Sukkur, Karachi East and Karachi Central reported comparatively smaller numbers. In KP, Peshawar topped the list with 3,910 complaints, followed by Abbottabad, Mansehra, Mardan and Haripur. In Balochistan, Quetta accounted for 1,533 of the province’s 2,134 complaints, suggesting that cybercrime reporting remains largely concentrated in provincial capitals and major cities.
‘MUZZLING DISSENT’?
Pakistan’s cybercrime law, Peca, has long been controversial among digital rights advocates. Digital rights activist Farieha Aziz, who is a co-founder of Bolo Bhi, an advocacy forum for digital rights, argues that, while cyber harassment and online fraud require effective law enforcement, the law’s broad framing and its enforcement mechanisms have raised serious concerns.
“A longstanding issue with Peca has been the excessive criminalisation of speech, for instance, criminal defamation [Section 20],” says Aziz. “Other countries follow a non-enforcement or decriminalisation pattern and defamation remains within the civil law ambit. Not here. Then take the addition of Section 26A, ‘fake and false information’, which has been arbitrarily used since it was introduced to muzzle dissent.”
In May 2024, the federal government created the NCCIA, replacing the Cybercrime Wing of the FIA. The move was presented as a major structural reform aimed at modernising Pakistan’s response to rapidly growing online crimes, including financial fraud, digital harassment, identity theft, child exploitation, hacking and cyber-enabled scams. Authorities had argued that a dedicated agency would improve investigative focus, enhance digital forensic capacity, speed up case processing and strengthen prosecution under cybercrime laws.
She adds that both the structure of the law and its enforcement raise broader concerns about rights protections.
“Both the framing of Peca and its application run contrary to our commitments under the International Covenant on Civil and Political Rights [ICCPR] — both from a criminalisation standpoint and what is passed off in the name of regulation ie the Pakistan Telecommunication Authority [PTA] powers and, now, the Social Media Protection and Regulatory Authority [SMPRA]. Censorship is not regulation, which is what this is.”
Journalist Nadir Baloch, who recently received a notice from the NCCIA, tells Eos, “From my experience, the process adopted by the NCCIA lacked transparency from the very beginning. I was never clearly informed about the nature of the allegations against me. The notices only mentioned a charge under the Defamation Act but provided no details, no explanation of the accusation and no copy of the complaint filed against me.”
He continues: “Without knowing what I am being accused of, it is impossible to meaningfully prepare a defence or properly join an inquiry.”
Baloch adds that investigators appeared primarily interested in securing access to his digital devices. “It became clear that my mobile phone and other devices were the main focus from the outset. Seizing digital devices without first clearly informing a person of the allegations raises serious concerns about due process and fairness. As a journalist, this approach makes me feel vulnerable and targeted. Transparency is a fundamental safeguard and, without it, the entire process appears opaque and deeply concerning.”
Lawyer and rights activist Jibran Nasir is even more critical of the institution’s performance. “The NCCIA, which is effectively a makeover of the FIA cybercrime wing, is perhaps the most incompetent, monetarily corrupt and morally bankrupt civilian law enforcement agency, and it should be shut down. I believe all protections under the Peca law are redundant if those enforcing it are compromised.”
Following the arrest of activists and journalists, the NCCIA has also faced scrutiny over several high-profile investigations and internal controversies since its formation.
The arrest and sentencing of Imaan Mazari and Chattha also drew criticism from several international human rights organisations, which questioned the use of cybercrime provisions in cases involving online expression.
Shireen Mazari argues that recent developments suggest the law is increasingly being used to target dissenting voices. She says the amendments to cybercrime legislation appeared designed for political targeting and alleges that investigators had deliberately misinterpreted the content of her daughter’s tweets during the proceedings, raising broader concerns about how digital speech is being assessed and prosecuted.
Islamabad-based journalist Waheed Murad was forcibly taken from his residence in Sector G-8 in the early hours of March 26, 2025, at around 2-3am, when unidentified men, reportedly accompanied by police vehicles, entered his home without prior notice and removed him to an undisclosed location. Later the same day, he was produced before Judicial Magistrate Abbas Shah in Islamabad by the FIA, in a case registered under Peca linked to alleged “intimidating” social media activity, including a repost.
The FIA sought physical remand, and the court granted a two-day remand, after which he was released on bail, drawing concern among legal observers over the manner of the arrest and the agency’s handling of the case, particularly the lack of transparency and the use of a pre-dawn operation.
Lawyers working on cybercrime cases say that, despite the institutional restructuring, the day-to-day functioning of investigations has remained largely unchanged. Advocate Shah Fahad, a lawyer who has handled cases before the FIA’s cybercrime wing and now appears in matters before the NCCIA, says the transition has not resulted in significant procedural reforms.
“My abduction and subsequent arrest in a cybercrime case was not an isolated incident,” Murad tells Eos. “Such efforts to suppress freedom of expression and press freedom have long been ongoing in Pakistan.
“As far as the establishment of a separate agency to tackle cybercrime is concerned, the core issue lies in the intent and application of the law. Regardless of how many agencies are created, the perpetrators do not regard the law, and their objective is not to combat fake news or misinformation but to silence critical voices. Therefore, such measures are unlikely to make any real difference. Meaningful improvement in the law is only possible when there is clear and sincere intent, and when the perspectives of all segments of society are incorporated — especially those who are most active on social media and those working in the field of digital rights.”
QUESTIONABLE PRACTICES
One of the most widely reported cases involved YouTuber Saad ur Rehman, popularly known as Ducky Bhai. Authorities initiated an investigation against him over allegations of promoting illegal online gambling applications through social media platforms.
The inquiry was conducted under provisions of Peca, along with sections of the Pakistan Penal Code related to fraud and unlawful online activity. The case, however, soon spiralled into controversy when allegations of bribery and misconduct surfaced against investigators handling the inquiry.
According to multiple media reports, several officials were accused of demanding money in exchange for favourable treatment during the investigation. Subsequent internal action led to the arrest and suspension of a number of officers associated with the probe, while others resigned as the allegations came under scrutiny.
The controversy deepened as disciplinary proceedings were initiated within the agency. In the months that followed, several officials were dismissed or removed from service as part of internal accountability measures linked to corruption complaints and administrative irregularities.
Beyond individual complaints, the agency has also faced internal controversies and operational challenges since its formation. Many employees who had been hired on contractual terms during the transition from the cybercrime wing of the FIA to the newly established NCCIA saw their contracts expire without renewal. Reports indicate that more than 100 staff members were impacted.
The abrupt termination of these contracts created uncertainty within the organisation and raised concerns about workforce stability, particularly as the agency is responsible for dealing with thousands of cybercrime complaints every year.
The situation became more contentious after the government issued notifications appointing several officials from the armed forces to senior positions within the agency. The move sparked debate among legal observers and civil society groups about the structure, oversight and civilian nature of the cybercrime enforcement body.
Lawyers working on cybercrime cases say that, despite the institutional restructuring, the day-to-day functioning of investigations has remained largely unchanged. Advocate Shah Fahad, a lawyer who has handled cases before the FIA’s cybercrime wing and now appears in matters before the NCCIA, says the transition has not resulted in significant procedural reforms.
He points out that, despite the transition to the NCCIA, there has been little to suggest any substantive shift in how cybercrime complaints are handled, especially when it comes to handling cases under Section 20 and 21 of Peca. According to him, the change from the FIA appears largely superficial, with the same personnel and investigative approaches continuing, and no meaningful improvement in procedures, victim facilitation or overall standards.
He also emphasises that the process itself can become an added burden for complainants, particularly when they are required to hand over personal digital devices as part of the evidence. This raises further concerns around privacy and ease of access to justice, especially since there have previously been data leaks in sensitive cases being conducted by the FIA cybercrime wing.
Riazul Haq, a senior journalist based in Islamabad who has reported on cybercrime enforcement since the formation of the NCCIA, tells Eos that procedural gaps continue to persist within the system. He points out that the online complaint mechanism remains unreliable and often unresponsive, forcing complainants to visit offices in person to complete even basic requirements of their cases.
Haq further highlights that the department is facing a severe structural and operational crisis. According to him, the total workforce stands at around 400 personnel nationwide, out of which only a small fraction (approximately eight–10 officers) are permanent, while the overwhelming majority are working on short-term contracts, creating instability and weak accountability. He further points out that the government initially committed a budget of Rs 14 billion for the NCCIA, which was subsequently reduced to Rs 10 billion, then Rs 6 billion and eventually shrank to nearly Rs 1 billion, much of which has still not been effectively released, thus severely hampering capacity building.
Compounding the issue is the fact that the NCCIA lacks a centralised and reliable data management system, limiting its ability to track and respond to cybercrime efficiently. In terms of case data, Haq notes that around 56 percent of reported complaints fall under online fraud, harassment and related cyber offences, reflecting the growing scale of digital crime. He emphasises that, with limited offices, insufficient funding, lack of technological infrastructure and a largely contractual workforce, the institution is struggling to cope with an overwhelming volume of cases, further deepening its credibility and performance crisis.
Commenting on the institutional structure, he says the new body largely continues the practices of its predecessor, the FIA. “With 90 percent of the staff being contractual, it is difficult for employees to feel secure about their performance,” he says, describing the working environment as marked by “chaos, urgency and a hodgepodge approach”, while also noting that politicisation and external influence have weakened the agency’s autonomy.
The uncertainty over staffing has also reached the courts. Raja Abdul Qadeer, a barrister representing 41 officers of the NCCIA before the Islamabad High Court, says the petitioners serving in BPS-17 and BPS-18 pay scales, in roles such as investigation, digital forensics and legal analysis are seeking regularisation through the Federal Public Service Commission (FPSC) after their posts were converted from development to regular budget positions.
Qadeer tells Eos that the officers were originally recruited through a competitive process in 2018 under the cybercrime wing of the FIA and have served continuously since 2019. The petition argues that, once these posts were formally shifted to the non-development side in 2022, the government became legally bound to process their regularisation in line with existing court precedents. On the last hearing, the court also directed the authorities to release the employees’ salaries.
STRUCTURAL GAPS
Official figures presented in parliament by interior minister Mohsin Naqvi illustrate the scale of cybercrime investigations being handled by the agency. According to the data, 98,206 inquiries were registered nationwide over the past five years. Of these, 53,717 were disposed of, while 51,696 remain pending, reflecting a substantial backlog.
During the same period, law-enforcement authorities registered 7,690 FIRs related to cybercrime. While 3,505 cases have been disposed of, 4,185 remain pending, highlighting the growing pressure on investigative and prosecutorial systems dealing with digital offences in Pakistan.
Sadaf Khan, co-founder of Media Matters for Democracy, tells Eos that the issue goes beyond individual cases and reflects deeper structural gaps in Pakistan’s cybercrime system. Pakistan’s cybercrime framework, she argues, requires reforms that focus on process, capacity and public trust, alongside the integration of a human rights and a gender lens in both law and investigative procedures.
“A significant portion of enforcement under Peca has focused on cases related to online speech,” she says. “As a result, investigative resources often appear to be directed toward monitoring or responding to expression-related complaints rather than building specialised capacity to tackle complex financial cybercrime or other technically sophisticated offences.”
Khan adds that simply creating a new institution without addressing deeper structural problems risks reproducing the same weaknesses within a different organisational structure. “When legitimate expression is constrained,” she warns, “information vacuums emerge in spaces where misinformation, speculation and confusion begin to flourish.”
Murad believes that improvement in the cybercrime law is only possible if intent is clear and transparent, and the views of all segments of society are included, especially those who are more active on social media and those working on digital rights. This view finds endorsement from Shireen Mazari, who argues that the law itself and its enforcement structure need fundamental reform.
She calls for “a total revision of the law, with clear guidelines on its use, plus a complete restructuring of the NCCIA,” alleging that the current body has been marked by “abuse and corruption.”
Citing cases such as those involving Imaan Mazari and Chattha, she claims that the conduct of officials raised serious questions during court proceedings and reflects a broader pattern visible in NCCIA cases and court verdicts which, in her view, points to systemic misuse rather than isolated incidents.
UNFULFILLED PROMISES
Multiple officers within the NCCIA were approached by Eos in order to obtain an official stance regarding these concerns. None of the individuals approached responded to Eos’ repeated queries and no formal spokesperson has been designated by the department since its formation. Efforts to obtain a comment from Talal Chaudhry, who serves as Minister of State for the Interior, also went unanswered, reflecting continued institutional silence on the matter.
In the absence of structural reform, the promise that led to the creation of the NCCIA risks remaining unfulfilled. What was envisioned as an autonomous, specialised body to counter the exponential rise in cybercrime is instead grappling with limited expansion, persistent controversies and questions around transparency and accountability. Voices from across the spectrum, including journalists, legal experts and digital rights advocates, continue to highlight gaps in governance, enforcement and safeguard mechanisms.
Without clear oversight mechanisms, adequate funding, institutional independence and protections against the misuse of laws such as Peca, the NCCIA’s trajectory may not only undermine public trust but also weaken Pakistan’s broader response to an evolving and borderless cyber-threat landscape.
The writer is an investigative journalist.
Published in Dawn, EOS, April 5th, 2026