A sophisticated email fraud targeting the Finance Ministry has exposed gaps in how the country manages its sovereign debt payments, and raised uncomfortable questions about digital security at the heart of government
It did not begin with a dramatic server crash or a ransomware notice on a screen. It began, investigators now believe, with someone quietly reading the government’s emails.
Cybercriminals managed to infiltrate the email systems of the Department of External Resources, known as the ERD, which sits within the Treasury. Once inside, they did not move immediately. They watched. They monitored ongoing discussions about debt restructuring and repayment schedules, learning the language, the timelines, and the contacts involved.
When the moment came, they did not attack a bank. They sent an email.
What Happened
Sri Lanka was in the process of settling a bilateral debt obligation to Australia. The funds in question were part of a larger payment process between the Australian Export Finance Agency and the Treasury, with both parties exchanging information via email.
The scam was executed in five instalments, transmitted between December 31, 2025, and March 20, 2026. The money was sent. The procedures were followed. The payment was processed. But the intended recipient never received it.
The attackers had substituted the legitimate Australian bank details with their own. Because the instruction came from a trusted internal email address, Treasury officials processed the payment believing they were fulfilling a sovereign obligation. This is a well-documented form of cybercrime known as Business Email Compromise, or BEC. It does not require breaking into a bank’s servers. It requires patience, access to internal email, and the ability to impersonate people that others already trust.
The total amount diverted was $2.5 million, making it the largest cyber theft ever recorded from a state institution in Sri Lanka.
How It Came to Light
The scam was identified only after Australian export finance agencies notified Sri Lankan officials that the money had never arrived. Treasury Secretary Harshana Suriyapperuma told journalists: “Although the government followed the required procedures and completed the payment, the intended recipient did not receive the money. Instead, the criminals who intervened in the email communications were able to divert nearly $2.5 million into other accounts.”
Authorities say they first became aware in January 2026 that cyber criminals were trying to access the system, and action was taken at that stage. It was concerns over similar earlier attempts that later led authorities to review past transactions, during which it was discovered that hackers had also been active in relation to a previous payment.
The scale of the breach became clearer still when cyber criminals allegedly attempted to divert a separate payment due to India, which raised red flags over altered account details. The India attempt appears to have been intercepted before funds left.
The Official Response
On April 22, 2026, the Ministry issued an official statement confirming it had lodged complaints with the Criminal Investigation Department and the Central Bank’s Financial Intelligence Unit. The Ministry said it first informed Sri Lanka CERT and the Computer Crime Investigation Division of the Sri Lanka Police after identifying information linked to the foreign currency payment. A preliminary internal inquiry was conducted, and disciplinary action was initiated against several officials.
Four senior officers at the Public Debt Management Office were suspended. Authorities said they were seeking help from foreign law enforcement agencies.
Australia’s High Commissioner Matthew Duckworth confirmed awareness of irregularities in payments owed to Canberra, stating that Australian officials were cooperating with Sri Lankan authorities and that Australia remained committed to supporting Sri Lanka’s recovery and debt sustainability efforts.
The Political Dimension
The incident has not remained a technical matter. It has moved into parliament, and quickly.
A group of opposition lawyers wrote to the Speaker of Parliament noting that Sri Lanka was due to pay USD 22.9 million to the creditor in September 2025, with the $2.5 million being a partial payment. They called on the Speaker to initiate an inquiry, arguing that public finances are parliament’s responsibility. The issue was raised at the proceedings of the Committee on Public Accounts.
Opposition leader Harsha de Silva, who chairs the parliamentary Committee on Public Finance, wrote on X: “In over 15 years in Parliament, I have never seen this level of contempt for parliamentary oversight,” accusing the government of concealing the breach from the legislature.
The Wider Context
The timing carries weight that goes beyond the numbers.
Sri Lanka is still recovering from its catastrophic economic crisis in 2022, when Colombo defaulted on its $46 billion external debt. The Public Debt Management Office itself was established this year under an IMF-backed $2.9 billion bailout framework. A cyberattack on the very office managing that debt repayment is a significant institutional blow.
There is an irony that has not gone unnoticed: Sri Lanka’s central bank and finance ministry had launched an advertising campaign in local newspapers earlier this year warning citizens against falling prey to cyber scams, even as the ministry’s own systems were compromised.
What Recovery Looks Like
Because the funds were transferred through international banking channels, the Sri Lankan government is coordinating with the Australian High Commission and foreign law enforcement agencies to trace the money. Experts warn that once funds are siphoned into global mule accounts, full recovery is often difficult.
The focus has since shifted to systemic reform. Under the direction of President Anura Kumara Dissanayake, who also oversees the digital infrastructure portfolio, the Treasury is being pushed to move away from email-based payment approvals entirely.
The Finance Ministry has said efforts are underway to recover as much as possible of the lost funds. As of the time of writing, the investigation remains active and ongoing.
What This Tells Us
This incident is not unique to Sri Lanka. Business Email Compromise attacks on government finance departments have occurred in countries across Asia, Africa, and Europe. What makes this case notable is that it struck at a particularly sensitive point, during active sovereign debt restructuring, involving a bilateral creditor, and routed through a newly established institution that was itself set up to improve debt governance.
The breach was not the result of some advanced nation-state level intrusion. It was a patient, targeted manipulation of email-based trust. The systems were not fundamentally broken. The process was exploited.
That is, in many ways, the harder problem to solve. Technology can be updated. Servers can be hardened. But the habits around how government institutions communicate, verify, and approve large financial transactions are slower to change, and they are exactly what attacks like this one are designed to exploit.
