Speed Read
- The Committee on Public Finance (COPF) has found Sri Lanka’s $2.5 million Treasury fraud stemmed from systemic governance failures, weak cybersecurity and poor internal controls—not a single human error.
- COPF chairperson Harsha de Silva said the committee was unanimous in confirming a cybercrime-linked fraud and reiterated that only criminal investigations could determine individual liability.
- Cybercriminals have hijacked official email threads, used look-alike domains and exploited outdated IT systems during Sri Lanka’s debt management transition.
- The committee urged sweeping reforms to debt repayments, cybersecurity and financial oversight, warning that institutional failures enabled fraud.
COLOMBO—Sri Lanka’s $2.5 million Treasury fraud was never just a cyberattack.
A parliamentary investigation has found that years of weak governance, outdated technology and institutional failures allowed cybercriminals to infiltrate one of the government’s most sensitive financial operations and divert sovereign debt repayments meant for a foreign lender.
The money was stolen between November 2025 and January 2026 while Sri Lanka was repaying sovereign debt to Export Finance Australia, one of several creditors involved in the country’s debt restructuring following its historic sovereign default. Instead of reaching the Australian export credit agency, several repayments were redirected to fraudulent overseas bank accounts after attackers infiltrated official email correspondence and manipulated payment instructions.
Because the money never reached the lender, Sri Lanka was forced to make the repayments again using public funds while investigators worked to determine how one of the country’s most significant cybercrime-linked financial losses had occurred.
The findings are contained in a 169-page report tabled in Parliament by the Committee on Public Finance (COPF), which concludes that the fraud was enabled not by a single administrative error but by longstanding governance lapses across multiple state institutions, including the Ministry of Finance and the Central Bank of Sri Lanka (CBSL).
The report identifies a chain of institutional breakdowns—from outdated email infrastructure and weak cybersecurity to fragmented oversight and poor verification procedures—that collectively created the conditions for the recent fraud.
For a country still rebuilding international confidence after its 2022 sovereign default, the findings extend well beyond the loss of $2.5 mn (Sri Lankan rupees 8,375,000,000). They raise fundamental questions about the government’s ability to safeguard billions of dollars flowing through the sovereign debt repayment system and whether reforms introduced after the economic crisis have been implemented effectively.
Unanimous parliamentary finding
COPF chairman Harsha de Silva, after presenting the report in Parliament later told media that all members had unanimously endorsed the findings after delaying publication to incorporate a supplementary submission accepted across party lines.
He described the consensus as unusual for a parliamentary oversight committee and said it reflected the strength of the evidence gathered during the investigation.
“The committee clearly finds that a fraud linked to cybercrime did take place, resulting in the theft of approximately $2.5 mn in public funds,” de Silva, an economist turned politician told CIR
While COPF examined how the fraud became possible, he noted that; parliament’s constitutional oversight role does not extend to deciding criminal liability or identifying whether officials knowingly assisted those behind the theft.
“It is beyond the scope of our committee to determine whether the fraud involved internal collaboration or conspiracy,” he said. “Criminal investigations must establish whether officials acted through negligence, incompetence, ignorance or deliberate involvement.”
That distinction is central to the report. Rather than focusing on individual culpability, COPF sought to determine whether government systems themselves had failed.
Its conclusion was unequivocal.
The cybercriminals succeeded because multiple institutional safeguards failed simultaneously.

Fraud hidden in plain sight
The theft occurred during routine sovereign debt repayments, a process that normally attracts little public attention but involves the transfer of hundreds of millions of dollars to foreign lenders.
Between November 2025 and January 2026, Sri Lanka was making scheduled repayments under debt restructuring arrangements, including payments to Export Finance Australia.
Rather than attacking banking systems directly, investigators found that cybercriminals infiltrated official email communications between the Ministry of Finance’s External Resources Department (ERD) and the Australian lender.
Using fraudulent internet domains that closely resembled legitimate addresses, the attackers inserted fake invoices and altered payment instructions into authentic email conversations.
Treasury officials, believing they were communicating with the genuine lender, approved payments to bank accounts controlled by the fraudsters.
In total, 10 transactions were processed using manipulated payment instructions.
The deception remained undetected for months.
Authorities only discovered the theft after Export Finance Australia informed the Ministry of Finance that scheduled repayments had never been received.
More than a cyberattack
Although the fraud relied on sophisticated cyber techniques, COPF rejected any suggestion that technology alone was responsible.
Instead, the report paints a picture of institutional weaknesses that had accumulated over years.
“The risks of cybercrime-related fraud were heightened by weaknesses in internal controls governing debt repayments and vulnerabilities in the government’s email infrastructure,” the report stated.
Those weaknesses extended well beyond outdated computer systems.
The committee identified poor oversight of debt repayment operations, inadequate procedures for escalating concerns to senior officials, fragmented IT governance, weak verification procedures and long-standing deficiencies in sovereign debt management.
Collectively, these failures created what investigators describe as an environment in which cybercriminals encountered little resistance.
A transition, a governance vacuum
One of the committee’s most significant findings concerns the government’s transition of sovereign debt management responsibilities from the Central Bank to the newly established Public Debt Management Office (PDMO).
The transition, intended to modernize Sri Lanka’s debt management framework, instead became one of the central vulnerabilities exploited by the attackers.
COPF found that authorities embarked on the institutional shift without establishing a comprehensive governance framework defining responsibilities between agencies.
No detailed terms of reference governed the transfer.
No key performance indicators existed to measure whether the transition had been completed successfully.
Operational guidelines for the new office were issued nearly 10 months after its establishment, while the memorandum of understanding between the CBSL and the PDMO was signed only in March 2026—months after the fraud and just before the transition ended.
The delayed arrangements left responsibilities unclear, fragmented oversight, and blurred accountability. COPF found that these governance gaps significantly increased operational risk as Sri Lanka managed complex debt restructuring payments to multiple international creditors.

Weakest link
While governance failures laid the foundation, outdated technology opened the door.
The committee was sharply critical of the Ministry of Finance’s cybersecurity posture, particularly within the External Resources Department.
Despite repeated warnings, officials continued operating Microsoft Exchange Server 2016 long after Microsoft’s extended security support ended in Oct. 2025.
The timing proved consequential.
Investigators found that the cyber fraud began roughly one month after security updates ceased.
COPF described the sequence as “far more than a coincidence.”
Independent assessments conducted by both the Sri Lanka Computer Emergency Readiness Team (SLCERT) and KPMG had repeatedly warned the ministry about serious cybersecurity deficiencies.
Those assessments identified weak password policies, the absence of multi-factor authentication, poorly defined IT responsibilities and failures to implement recommended security upgrades.
Yet many of those recommendations remained unimplemented when the fraud occurred.
The committee also discovered that the ERD operated its own independent email infrastructure outside the Treasury’s centralized IT management system.
“There appears to have been no coordination between the two IT teams,” the report stated.
For investigators, this represented not merely a technical oversight but a governance failure that prevented consistent cybersecurity standards across the Ministry of Finance.
Meanwhile, Nirosh Ananda, chief security information office of SL-CERT, said the agency had provided recommendations to the government following the incident, focusing on strengthening cybersecurity awareness, improving basic cyber hygiene and fostering a stronger incident reporting culture. He said CERT has intensified awareness programs across government institutions, emphasizing that many cyberattacks begin with human error. Ananda declined to discuss specific recommendations made to the Treasury but confirmed that Sri Lanka CERT had made submissions to the COPF.
Thread hijacking
Rather than hacking banking systems or deploying ransomware, the attackers relied on deception. Investigators found they hijacked an existing email thread between Treasury officials and Export Finance Australia shortly after Sri Lanka signed a debt restructuring agreement on October 27, 2025.
On Nov. 13, the attackers inserted six fake invoices into the legitimate email chain and used lookalike domains that closely mimicked Export Finance Australia’s official address. The fraudulent invoices redirected sovereign debt repayments to bank accounts in the United Arab Emirates (UAE) and the U.S.
COPF found that officials failed to detect the fake domains or independently verify the revised payment instructions, concluding that a relatively simple social engineering attack succeeded because of weak institutional controls, outdated IT systems and inadequate verification procedures.
Ignored warnings
Perhaps the most troubling finding in the report is that warning signs emerged before the full loss occurred.
One fraudulent payment initially failed when an intermediary bank rejected it over incorrect beneficiary details, prompting CBSL officials to question the sudden change in Export Finance Australia’s bank account and instruct that the new details be independently verified.
That verification never happened. Instead — the report pointed out— that the Treasury officials continued communicating through the compromised email thread. The attackers provided revised invoices and explanations, leading officials to resend nearly $1 mn that had briefly been recovered—this time to another fraudulent account in the United States.
COPF concluded that a critical opportunity to prevent much of the loss was missed because officials ignored basic verification procedures and relied on compromised email correspondence instead of independently confirming the payment instructions.
Fraud bigger than Australia
As investigators began reviewing other debt repayments following the failed transaction involving India’s Export-Import Bank, they discovered that the cybercriminals had cast a much wider net.
Using similar impersonation techniques, attackers attempted to redirect sovereign debt repayments involving creditors in the United Kingdom, Germany and Belgium.
In one case, JPMorgan’s Global Fraud Prevention Operations detected suspicious payment instructions intended for India’s Export-Import Bank and blocked the transaction before any funds left Sri Lanka.
That intervention prompted Treasury officials to review recent foreign debt repayments.
The subsequent investigation uncovered fraudulent payment instructions affecting multiple creditors.
Authorities managed to halt a payment destined for the United Kingdom before it was processed.
Belgian authorities were contacted in time to verify legitimate banking details, allowing that payment to proceed safely.
Australia, however, was different.
By the time officials contacted Export Finance Australia directly, several repayments had already been diverted to fraudulent overseas accounts.
The committee concluded that the pattern demonstrated a coordinated campaign targeting Sri Lanka’s sovereign debt repayment system rather than an isolated attack against a single creditor.

Governance, not just cybersecurity
Throughout the report, COPF repeatedly returns to one central conclusion: technology alone did not fail.
Institutional governance did.
COPF found that poor inter-agency coordination, fragmented responsibilities, weak oversight and outdated financial procedures created an environment that cybercriminals easily exploited. It said operational officials failed to exercise proper judgment, while senior management failed to establish governance systems capable of identifying and addressing vulnerabilities.
The committee was particularly critical of fragmented IT governance, noting that the ERD operated its own email and server infrastructure outside the Treasury’s central IT system. This led to inconsistent cybersecurity standards, unclear responsibilities and delayed security upgrades— failures COPF described as governance, not merely technical, shortcomings.
Cybersecurity expert and digital policy leader Asela Waidyalankara said the $2.5 million Treasury fraud exposed systemic weaknesses in people, processes and technology.
He said cybersecurity awareness is not embedded in the public service, with limited staff training and little accountability for following basic security practices. He also maintained that operational controls weakened after sovereign debt payment responsibilities shifted from the Central Bank to the Treasury, recommending internationally recognized standards such as ISO/IEC 27001 for critical payment functions.
Waidyalankara added that the continued use of unsupported technology highlighted broader failures in IT governance and planning. Rather than a lack of cybersecurity tools, he said, the incident reflected poor governance, cautioning that similar breaches are likely unless these structural weaknesses are addressed.
Who is responsible?
While identifying serious institutional failures, COPF Chair Harsha de Silva explained that parliament’s role was to examine how public funds were lost—not to determine criminal liability.
“The committee clearly finds that a fraud linked to cybercrime did take place,” he told parliament, adding that only criminal investigations can determine whether officials colluded with the perpetrators or whether cybercriminals exploited negligence or incompetence.
The report neither exonerates nor implicates individual officials, concluding instead that systemic failures enabled the fraud regardless of whether criminal collusion existed. Four officials remain suspended pending investigations by the Criminal Investigation Department (CID) and the Financial Intelligence Unit (FIU), while one suspended official died during the inquiry.
COPF said the response must go beyond upgrading software. It recommended a comprehensive overhaul of sovereign debt management and public financial governance, including a special audit of the foreign debt repayment process, updated Financial Regulations aligned with the Public Financial Management Act and Public Debt Management Act, stronger payment verification procedures, mandatory multi-channel confirmation of changes to lender bank accounts, and centralized oversight of Treasury IT systems.
The committee also urged the Ministry of Digital Economy (hyperlink)to implement long-standing cybersecurity recommendations, including modern email infrastructure, multi-factor authentication and stronger governance, while completing the transition to the PDMO under a clear accountability framework.
Lessons beyond the loss
COPF said the fraud’s significance extends well beyond the $2.5 mn loss. Occurring during Sri Lanka’s debt restructuring, it exposed governance and cybersecurity weaknesses that risked undermining confidence among international creditors.
The report concludes that the theft was not simply the result of a sophisticated cyberattack but of years of neglected reforms, weak oversight, outdated technology and fragmented governance. Whether criminal investigations ultimately establish negligence, incompetence or collusion, COPF’s central finding is that systemic failures within the state enabled the fraud.
Banner Image: COPF chair Harsha de Silva claimed parliament’s oversight role is to examine how public funds were lost—not to determine criminal liability or whether officials knowingly assisted those behind the theft. Image courtesy of Parliament Communication Department.
This story was written and edited by Gagani Weerakoon. She leads the editorial at the Center for Investigative Reporting (CIR).
This story was produced with support from Report for the World, a global media service strengthening local independent journalism


