The file in question;
I did some checking, and not surprisingly, there's alot more than this one that's been created (I've already dropped abuse reports to dot.tk), including;
I've got a verification going to ID any more of these. Until dot.tk change their policy of not taking down domains that the registrant has paid them for, I feel pretty confident that we're going to see more and more .tk domains involved in criminal activity.
As far as the IPs involved, you'll no doubt have guessed that it's the usual suspects;
44565 18.104.22.168/24 VITAL TEKNOLOJI
49981 22.214.171.124/20 WORLDSTREAM
31252 126.96.36.199/24 STARNET-AS StarNet Moldova
47869 188.8.131.52/20 NETROUTING-AS Netrouting Data Facilities
If you've not already, feel free to blackhole the lot of them (and until dot.tk change their policy, you might want to consider a blanket block on the entire Tokelau TLD - money should never come before user safety).
dot.tk: Use and abuse us as you wish
Crimeware friendly ISPs: xorg.pl