Speed Read:
- A debt payment to Export Finance Australia was rerouted via email fraud despite 24/7 cyber monitoring.
- The opposition demanded answers on failed controls and delayed disclosure.
- Government says it is cybercrime, not debt failure. Probes underway.
- Parliament committee flags weak oversight and capacity issues, deepened by a suspended official’s death.
COLOMBO- Sri Lanka’s $2.5 million Treasury cyber theft has exposed a troubling contradiction at the heart of its digital governance: a major financial breach unfolding despite the presence of a round-the-clock national cybersecurity apparatus.
The incident involving a sovereign debt repayment diverted through a sophisticated email compromise, has triggered a political showdown, multiple investigations, and renewed scrutiny of whether the country’s institutional and technical defenses are keeping pace with its rapid digital transition.
The exposure comes less than a year after Sri Lanka formally launched its National Cyber Security Strategy (2025–2029) on September 19, 2025, at the Bandaranaike Memorial International Conference Hall under the patronage of President Anura Kumara Dissanayake.
The strategy was intended to unify national security, public administration, and the digital economy under a coordinated cyber defense framework backed by dedicated monitoring systems operating around the clock.
Yet the Treasury breach has raised a central question: how did such a high-value fraud slip through systems designed for continuous vigilance?
Deputy finance minister Anil Jayantha Fernando and Treasury secretary Harshana Suriyapperuma acknowledged that the fraudulent transactions were executed through compromised email channels, with forged invoices inserted into what appeared to be legitimate communication streams. The reliance on email-based verification, even within a multi-step approval process, is now under intense scrutiny.
Confrontation forces debate
The issue escalated in Parliament after the government reversed its initial refusal to allow a debate, following a tense standoff led by opposition leader Sajith Premadasa and opposition lawmakers demanding accountability.
Premadasa called for a full breakdown of how 10 transactions totaling $2.5 million were processed and how safeguards failed.
“We need to know how these transactions were processed, who was responsible at each level, and how this could have happened within what is said to be a multi-step verification process,” he said.
He pressed for clarity on whether SWIFT or account details had been altered and questioned the timeline of disclosures to law enforcement versus Parliament. “If you had enough information to complain to the CID, then you had enough information to inform Parliament,” he said.
Premadasa also widened the scope of concern, citing reports of additional irregularities, including a $600,000 loss linked to U.S. postal payments, alleged double payments under welfare programs, and missing documentation tied to French loans all of which, he argued, demanded explanation.
Cybercrime, not default
Deputy finance minister in Parliament on Tuesday, on 5 March defended the government’s handling of the incident, detailing a payment chain involving the External Resources Department (ERD), the Public Debt Management Office (PDMO), and the Central Bank (CBSL).
Responding on behalf of the government, Fernando outlined the sequence of transactions:
- November 14: three invoices totaling $713,757
- November 28: $377,660
- January 5: five invoices totaling $420,210
- January 29: $997,799
“Invoices are received via email and verified. The Central Bank releases the funds,” he said, adding that investigations were ongoing “to establish where responsibility lies within this process.”
He confirmed that funds were released but intercepted before reaching Export Finance Australia.
“This does not indicate an inability or unwillingness by Sri Lanka to repay its debt,” he said, adding that creditors, including the Paris Club, are unlikely to classify the incident as a default given its criminal nature.
How the fraud was uncovered
The breach came to light only after a separate suspicious transaction involving India’s export credit agency raised alarms triggered by a misspelled word in an email.
A subsequent review revealed that the $2.5 million payment had been diverted months earlier through a business email compromise scheme.
Investigators later confirmed that multiple official email accounts had been infiltrated, allowing attackers to impersonate legitimate actors and redirect funds without immediate detection.
A criminal probe led by the Criminal Investigation Department is underway, alongside internal reviews and a technical assessment supported by experts from the University of Colombo.
Four officials have been suspended pending investigation.
Justice minister Harshana Nanayakkara said the government is committed to identifying those responsible and recovering the funds but urged restraint while investigations continue.
The case has been further complicated by the death of one of the suspended officials linked to the transactions. Authorities have indicated the death was a suicide, though opposition figures have raised questions, adding a sensitive dimension to an already contentious investigation.
Government officials have cautioned against speculation, warning that unverified claims could undermine both the inquiry and public trust.
Structural weaknesses under spotlight
Harsha de Silva, Chair of the Committee on Public Finance (COPF), has framed the episode as evidence of deeper institutional failings.
“There are serious gaps in accountability and processes,” he said, pointing to confusion over the roles of key departments and a lack of clarity in approval authority.
He also questioned the erosion of expertise within the system, arguing that critical positions are increasingly held by less experienced personnel.
“If the Treasury secretary and the department heads do not have the required experience and skills, it is not surprising that processes fall apart,” he said.
Economist Umesh Moramudali warned that the breach reflects broader weaknesses in Sri Lanka’s debt management framework.
“This time, we got away with $2.5 million but, this could be worse,” he said, pointing to gaps in technical capacity and the challenges of transitioning debt management functions to new institutions without adequate expertise.
A system tested
The government maintains that the incident is a contained cybercrime within an otherwise functional system. The opposition argues it reveals systemic governance failures.
But the broader implication is harder to dismiss: even with a national cybersecurity strategy and 24/7 monitoring infrastructure in place, critical financial systems remain vulnerable, not just to external attackers, but to gaps in coordination, expertise, and oversight.
In that sense, the $2.5 million loss may be less significant than what it has revealed.
This story was written and edited by Gagani Weerakoon. She leads the editorial at the Center for Investigative Reporting (CIR).
This story was produced with support from Report for the World, a global media service strengthening local independent journalism.
