Sri Lanka is grappling with an emerging threat beyond maritime security— serious vulnerabilities in its cybersecurity systems. Nearly USD 2.5 million has reportedly gone missing from the Treasury of the Ministry of Finance, funds that were due to be remitted to Australia — an incident that has raised serious concerns within financial and administrative circles. It is a situation that would be difficult to comprehend for any institution, and one that underscores the urgency of addressing systemic weaknesses. Prior to this, National Development Bank PLC (NDB) disclosed a major internal fraud, involving approximately Rs. 13.2 billion, which has been described as involving suspicious transactions under investigation.
Adding to these concerns, the Department of Posts is now under scrutiny after USD 625,000 – claimed to have been sent to the United States Postal Service – was reportedly not received, prompting further investigations into the transaction trail and possible irregularities. Taken together, these incidents point to a colossal failure in oversight, exposing systemic weaknesses and a troubling lack of preparedness in addressing cyber threats.
Sri Lanka has long drawn global attention after positioning itself along the strategic East-West maritime corridor, a route heavily used by international shipping. Successive governments promoted the island as a key hub where passing vessels could refuel and replenish, projecting significant economic gains. This vision gained traction in the early 2000s and led to major infrastructure projects, including the development of the Hambantota Port.
However, the anticipated benefits of this geographic advantage have not materialised to the extent envisioned. Instead, the country became entangled in mounting debt, particularly linked to Chinese-funded projects, fuelling persistent concerns over financial dependency. The narrative of leveraging the maritime corridor gradually gave way to debates over a “debt trap”, compounded by allegations of corruption involving international developers, former government officials and politicians.
Amid a deepening economic crisis, Sri Lanka struggled to meet its obligations to international partners, ultimately entering for a funding restructuring programme with the International Monetary Fund to address approximately USD 53 billion in external debt. This transition followed significant political upheaval, including the ousting of former President Gotabaya Rajapaksa.
A new administration led by Anura Kumara Dissanayake came to power promising reform, accountability and a cleaner system of governance. Two years on, however, new challenges have emerged. A growing presence of cybercriminal networks, linked to actors from China, Cambodia, India and Myanmar, has begun to surface, signalling a shift in the country’s security landscape from traditional geopolitical concerns to complex digital threats.
The former government had highlighted the rescue and repatriation of Sri Lankans and other foreign nationals who were reportedly trapped in cyber scam operations run from compounds in Myanmar. These networks, allegedly involving individuals from Sri Lanka, Bangladesh and India, were said to be working under larger criminal syndicates linked to online fraud targeting victims in Western countries.
One of the most significant crackdowns took place in Myawaddy, where a large-scale cyber scam facility was dismantled and several individuals were arrested, with many later taken into custody and repatriated. Chinese nationals were among those arrested in these coordinated international operations. Now many say that these cyber criminals find Sri Lanka a safe haven.
Following these developments, Sri Lanka itself has reportedly seen a rise in similar cyber-related activities in Sri Lanka and over 400 Chinese were arrested in the past four months. Investigations suggest that some of these groups rented large residential properties and even entire hotel floors, paying in cash and setting up makeshift office operations with hundreds of computers. These activities were reported across Colombo, the hill country, and southern regions, often operating without immediate detection.
In several cases, suspects have been arrested and later repatriated, particularly to China. However, there remains limited public clarity on the full scope of investigations, including financial trails, victim networks and outcomes of prosecutions. Questions have also been raised regarding the transparency of custody procedures and bail conditions, with unverified claims circulating about irregular practices.
At present, there is still no comprehensive public account of how these operations were dismantled, whether all associated financial flows were traced, or who the primary beneficiaries and victims were. As a result, concerns persist that key details surrounding these cybercrime networks remain undisclosed, leaving significant gaps in public understanding of the issue.
The latest and most serious development concerns the banking sector, where NDB reported that approximately Rs. 13.2 billion had been lost in an alleged internal fraud incident involving certain employees. The bank clarified that customer deposits remain unaffected and that normal operations continue without disruption.
Following the disclosure, the Central Bank of Sri Lanka announced that, in consultation with NDB, arrangements were being made to appoint a leading international forensic audit firm to conduct a detailed investigation into the incident. Subsequently, NDB commissioned Deloitte Touche Tohmatsu India LLP to carry out a comprehensive forensic review of the fraud, including an examination of internal controls, governance failures and oversight lapses. The review is being conducted under the supervision of the Central Bank’s director of bank supervision, with findings expected to be submitted directly to regulators.
According to available information, more than six employees from the bank’s IT department have been suspended in connection with the investigation. However, the situation has also drawn public attention due to the fact that no board-level resignations have been announced so far, raising questions about accountability at senior management levels.
NDB has confirmed that the findings of the ongoing forensic review, including interim updates and the final report, will be submitted directly to the Central Bank of Sri Lanka. The disclosure follows earlier updates issued on 2 April and 6 April, with the bank’s Board reiterating its commitment to transparency and accountability to shareholders, depositors, customers and other stakeholders.
Meanwhile, the Criminal Investigation Department (CID) has launched investigations into the banking transactions of certain senior officials of NDB and their family members in connection with the alleged large-scale fraud. The move follows a court order issued after a request by the Computer Crimes Investigation Division of the CID, signalling a widening probe into potential financial irregularities linked to the incident.
Shortly after these developments, attention shifted to a separate and unexpected incident involving the disappearance of USD 2.5 million from the Treasury. The funds were reportedly intended for Export Finance Australia as part of Sri Lanka’s external debt restructuring arrangements. They said the system was hacked.
On 27 October 2025, following several months of bilateral discussions, Export Finance Australia finalised debt relief for Sri Lanka. The two sides signed an agreement on external debt restructuring, aiming at supporting Sri Lanka’s efforts to restore debt sustainability and economic stability. The total restructuring package is estimated at approximately AUD 60 million (USD 39 million). The agreement was signed at the Ministry of Finance in Colombo, where Treasury Secretary Dr Suriyapperuma signed on behalf of the Government of Sri Lanka, while Matthew Duckworth, High Commissioner-designate of Australia to Sri Lanka, formally exchanged the documents.
However, concerns emerged when the Australian lending agency later stated that the USD 2.5 million payment had not been received. Preliminary indications suggest the possibility of a cyber-related breach, with suspicions raised over a potential cloned website or fraudulent communication that may have misdirected the transaction. Authorities are now examining whether the incident involved an external cyberattack or an internal compromise.
Australia’s Department of Foreign Affairs and Trade spokesperson have confirmed to this writer that they are assisting Sri Lankan authorities with the investigation and reiterated their commitment to supporting Sri Lanka’s ongoing efforts toward debt sustainability.
In response to the growing concerns over cybersecurity risks affecting government financial systems, the Digital Trust Alliance, together with leading cybersecurity professional bodies – including ISACA Sri Lanka, the ISC2 Sri Lanka Chapter, the Cloud Security Alliance Sri Lanka Chapter, and BSides Sri Lanka – has formally written to President Anura Kumara Dissanayake and relevant state authorities, urging strengthened cyber resilience and urgent systemic safeguards.
The shock surrounding the USD 2.5 million Treasury incident has only deepened, with a second unexplained payment issue now coming to light. On 26 April, the Sri Lanka confirmed that a separate remittance of USD 625,000, intended for the United States Postal Service, has not been received by the US side and is now under investigation.
Minister Nalinda Jayatissa stated that a formal inquiry has been launched after US authorities informed Sri Lankan officials that the funds had not reached their destination. He made the remarks in response to media questions regarding the earlier reported diversion of USD 2.5 million in Treasury funds, which is also suspected to be linked to a cyber-related incident.
According to the Minister, both CID and the Department of Posts are conducting parallel investigations into the matter. Preliminary findings suggest that the transactions in question were executed on two separate occasions.
“Sri Lanka has made the payment, but the United States Postal Service has informed us that it has not received the funds,” he said, adding that investigations are ongoing to determine where the breakdown occurred and whether it involved technical, procedural, or malicious interference.
These successive developments have intensified concerns that a broader cybersecurity threat emerging within Sri Lanka’s financial and administrative systems, with incidents appearing to surface one after another. The government’s position that each case is being investigated internally, rather than being immediately disclosed in Cabinet discussions or publicly detailed, has raised concerns among observers about transparency and accountability.
The USD 2.5 million incident is also reported to have been brought to the attention of certain opposition members who made it public, while the government maintains that investigations are ongoing and that premature disclosure could affect the integrity of the probe.
Questions are now being raised about public ownership and accountability: if customer deposits in banks are considered secure, then whose funds have been lost or misdirected in these cases? Similarly, in the case of the Sri Lanka Post payment, it remains unclear whose money was transferred and where the breakdown occurred.
In the end, the money disappeared, the systems failed, and the perpetrators remain invisible—raising the unsettling question of whether Sri Lanka is chasing shadows in a digital battlefield it is not yet equipped to fight.
Originally published in the Daily Sun.