The Sri Lankan Treasury is embroiled in a deepening controversy following the loss of USD 2.5 million (over LKR 750 million), initially reported as a cyber theft of funds intended for a loan installment payment to Australia. The incident, first detected in January 2026, involved the diversion of money that was part of a larger USD 22.9 million debt settlement due to the Australian Export Finance Agency. This marks the largest amount of cash ever stolen from a state institution in Sri Lanka.
Initially, the Ministry of Finance, Planning and Economic Development officially confirmed a cyber attack, stating that cybercriminals gained unauthorized access to the computer system of the Ministry's External Resources Department. They exploited the email communication channel between the Treasury and the Australian agency to manipulate payment instructions, diverting the funds to a third party. Treasury Secretary Harshan Suriyapperuma clarified that the incident was not made public initially to prevent the hackers from hiding. Deputy Minister of Finance Dr. Anil Jayantha confirmed the mechanism and categorically denied any government party involvement, attributing the irregularity solely to an organized group of cybercriminals. He also revealed that hackers had attempted to divert a loan payment to India by changing account numbers, but this attempt was thwarted.
In response, the Ministry filed complaints with law enforcement agencies, including the Sri Lanka Computer Emergency Readiness Team (SL-CERT) and the Sri Lanka Police's Computer Crime Investigation Division. The Treasury launched its own special investigation, alongside ongoing probes by the Criminal Investigation Department (CID). The Australian High Commission in Colombo officially confirmed its awareness of irregularities and stated that Australian officials are assisting with the investigation. Government intelligence agencies have also launched a special investigation, utilizing specific technical methods, with Australian security agencies confirming their support. The Financial Intelligence Unit (FIU) of the Central Bank has been informed and is part of a joint comprehensive inquiry with the CID and SL-CERT. The International Monetary Fund (IMF) has expressed significant concern, with a spokesperson confirming they are closely monitoring the situation.
However, the official narrative of a simple cyber theft has been strongly challenged by various parties, who allege a more complex internal irregularity or planned theft:
* Former Governor Rajitha Keerthi Tennakoon stated the incident was not a hacker attack but a financial irregularity where all 13 steps of government financial regulations were followed, including approval from the Secretary. He alleged that four lower-level officials are being scapegoated to protect higher-ranking officials, questioning how the contractually agreed bank account number changed within the management steps and emphasizing that loan payments should be directed to contractually agreed account numbers, not informal email messages.
* An assessment by popular AI models (Chat GPT and Gemini) suggested it is "extremely difficult and complex" for hackers to intercept country-to-country debt payments, especially via email, and that such incidents are rare globally.
* The 'Dinana Dakuna' organization, via Shiral Lakthilaka, asserted the loss was not a hacker attack but a serious internal act, describing it as a 'Business Email Compromise' (BEC) or 'Phishing' process where Treasury officials were deceived by a fake email and transferred funds without proper communication with the foreign bank's officials.
* Former MP Udaya Gammanpila claimed the incident was not a hacker attack but a planned theft carried out within the Treasury itself, alleging funds were transferred to a different account based on email instructions that changed the loan-paying institution's account number, asserting no hacking occurred during the transfer.
* A fintech expert, Asela Vaidyalankara, stated the incident was unlikely to be a simple "hack", but rather a compromised payment process involving weak verification layers, email-based instructions, and insufficient system segregation. It was also revealed that the emails exchanged for the transaction were described as "very loose" or informal. Vaidyalankara identified it as a BEC cyber-attack method and affirmed that technical methods exist to prevent such occurrences, recommending that the Central Bank of Sri Lanka (CBSL) advise the domestic banking system to obtain ISO 27001 certification.
* Deputy Digital Economy Minister Eranga Weeraratne clarified that the loss was likely a sophisticated phishing and impersonation scam, not a direct system hack. He stated that fraudsters created fake domains, emails, and used names similar to officials to mislead authorities, suggesting the issue might stem from a failure to recognize these discrepancies. He later revealed that investigations are now exploring suspicions of potential internal support within the institution that may have played a role in the transfer.
* Lawyers Maitri Gunaratne and former Governor Keerthi Tennakoon have asserted that the disappearance was not a cyber attack but a planned financial fraud with official involvement, claiming the transaction was conducted very carefully, involving relevant parties.
* Former Minister Patali Champika Ranawaka has alleged that the narrative of the loss being a 'hacker's act' is a cover-up to protect the officials and the Secretary who approved the transfer. He clarified that technically, the incident was a 'Phishing Attack' or 'Business Email Compromise' (BEC), not a direct hack, and alleged the government is attempting to label it as a hacker attack to protect the senior officials who authorized the transaction.
* The Free Lawyers' Organization asserted that the incident was not merely a technical error but a planned financial heist orchestrated by an internal "mastermind", carried out through a 'Business Email Compromise' (BEC) method.
* The Sri Lanka Labour People's Front Chairman Chameera Perera alleged that the theft was the result of a serious conspiracy by Rajapaksa associates operating within institutions, aiming to weaken and divert investigations.
* Parliamentarian Dr. Harsha de Silva stated the USD 2.5 million loss appears to be a result of fundamental negligence rather than a cyber attack. He questioned the absence of a small test payment to confirm the destination account, a standard practice, and the failure to verify payment instructions against original documents.
* Former President Mahinda Rajapaksa emphasized the need to first uncover the root cause of the incident before attempting to recover the funds, dismissing efforts to recover money from alleged hackers as an "illusion" and suggesting some individuals are trying to "cover up the issue".
* NPP Parliamentarian Lakmali Hemachandra noted that such systemic intrusions or fraudulent activities are not unique to Sri Lanka, citing similar incidents in the UK customs office and Australia last year, pointing to a systemic weakness.
Crucially, it has been revealed that the stolen funds were transferred to an American bank, and initial investigations indicate fraudsters acquired the funds by posing as a trusted party and submitting false information. New investigations also suggest the same hacker group responsible for the USD 2.5 million Treasury loss may have also deleted or made missing several important documents related to the repayment of a loan from France, with investigators suspecting intent for further financial fraud. The fraud occurred during a payment made under the process of restructuring loans obtained from the Australian government for five projects in Sri Lanka, and the funds were diverted when a hacker used a slightly altered email domain instead of the correct `exportfins.gov.au` for the payment. HSBC Bank issued two warnings identifying the USD 2.5 million payment as a suspicious transaction before the funds were diverted, and Central Bank officials were responsible for all aspects of this financial transaction, including setting up bank accounts, signing agreements, and handling correspondence.
Prime Minister Harini Amarasuriya confirmed that investigations have commenced, with international assistance already received, specifically from the Government of Australia. She also criticized the opposition for making baseless claims. The CID confirmed they would seek INTERPOL's assistance if investigations definitively confirm the money fell into hackers' hands. Deputy Minister of Digital Economy, Eranga Weeraratne, stated that significant progress has been made in the investigations. He added that a special security system involving 37 key institutions has been created for enhanced security and that investigations are underway to determine how long this financial fraud has been occurring. Finance Ministry Secretary Dr. Harshana Suriyapperuma stated that any actions regarding a potential loss would be decided following the conclusion of ongoing investigations. Deputy Finance Minister Anil Jayanta confirmed that the official email system was misused in the financial fraud and noted clear negligence by officials in handling payments. He also stated that authorities are investigating a potential political motive behind the incident to embarrass the government. As a direct result of the incident, Central Bank approval will now be mandatory for all future loan repayments, and new technical methods have been introduced to enhance internal server security. Minister of Ports, Civil Aviation, and Energy, Anura Karunathilaka, has confirmed that disciplinary action has already been initiated against officials allegedly involved. The Digital Trust Alliance, along with a coalition of professional organizations, has urged the government to strengthen cybersecurity governance and institutional resilience across the public sector. NPP Parliamentarian Ravindra Bandara has stated that a process is currently underway to fully recover the USD 2.5 million.
The CID is set to extensively question two Treasury officials directly involved in the USD 2.5 million transfer, after formally reporting the matter to court. Police sources indicate that these two Treasury officials are likely to be taken into police custody soon. The CID has already recorded statements from seven officials from both the State Debt Management Office of the General Treasury and the Department of External Resources, and the computers used by these officials have been taken into CID custody for further forensic analysis. SLCERT has stated that recovering the stolen USD 2.5 million is a technically challenging task. The CID reported facts to the Colombo Fort Magistrate's Court, presided over by Magistrate Isuru Neththikumara, and a travel ban has been imposed on five officials from the Finance Department in connection with the incident. The investigation is being conducted under the Public Property Act, Computer Crimes Act, and Penal Code, with the CID's Computer Crimes Division leading the probe. The court has also granted permission to examine the bank accounts of the officials involved.
The incident has drawn significant political and public scrutiny:
* The Free Lawyers organization, led by President's Counsel Maithri Gunaratne, formally requested a comprehensive parliamentary investigation and accused the President (in his capacity as Finance Minister) and the Finance Ministry Secretary of being responsible. Gunaratne further alleged that both the Treasury and the Central Bank are involved in the incident, accusing the Treasury Secretary, approving officials, and the President of involvement, and reiterating calls for their resignations to ensure a fair investigation. He has called for the immediate arrest of Harshan Suriyapperuma, asserting he should be named the main suspect as the USD 2.5 million could not have left the Treasury without his approval or that of other high-ranking officials. Former Governor Rajitha Keerthi Tennakoon, also representing Free Lawyers, pointed out that Central Bank officials were involved in preparing bank accounts, signing agreements, and handling related correspondence for the transaction.
* Opposition Leader Sajith Premadasa alleged the funds were diverted due to the government's lack of clear confirmation, raising concerns over the country's financial security and government financial management systems. He criticized the lack of a formal statement and alleged conflicting accounts from Finance Ministry and Treasury officials.
* Opposition MP Dr. Harsha de Silva questioned if Sri Lanka could have defaulted on debt repayments and revealed that prior warnings about the risks were raised at the Committee on Public Finance (CoPF) when sovereign debt operations shifted from the Central Bank to the Treasury's Public Debt Management Office (PDMO). As Chairman of the CoPF, Dr. de Silva announced that the Finance Ministry Secretary and other relevant officials will be summoned to Parliament for questioning. The Parliamentary Finance Committee is scheduled to convene to discuss the incident and decide on summoning the Secretary to the Ministry of Finance.
* Pohottuwa National Organizer and MP Namal Rajapaksa publicly questioned the diversion, demanding that the President reveal whose account the funds were transferred to.
* The Samagi Jana Balawegaya (SJB) has called for the removal of the Treasury Secretary, with Colombo District MP Mujibur Rahuman stating that the President and Finance Ministry Secretary are directly responsible and should resign. Mujibur Rahuman called it "daylight robbery" and demanded the resignation of the President (as Finance Minister) and the Finance Ministry Secretary.
* The "Sathya Gaveshakayo" organization has filed a complaint with the Inspector General of Police (IGP), requesting an investigation and stating that a technical committee comprising officials from the involved department is insufficient.
* National Janabalawegaya MP Chandana Suriyaarachchi stated the fraud was a weakness and irregularity in communication between officials and international institutions, not a planned fraud, and confirmed the situation was not intentionally hidden.
* Former State Minister Shanta Bandara questioned who permitted hackers to steal USD 2.5 million and who was responsible for creating the system weaknesses that facilitated the breach.
* A group of youth protested in front of the Ministry of Finance, demanding a formal investigation and calling for the resignation of the Finance Minister and the Ministry Secretary.
* The SJB and Sri Lanka Podujana Peramuna (SLPP), along with other opposition parties, have decided to raise a strong protest in Parliament when it reconvenes on May 5th.
* Minister Wasantha Samarasinghe urged the opposition not to compare this incident to the Central Bank bond scam, stating that investigations are underway and culprits will be punished regardless of status.
* Reports indicate that four opposition MPs, including a senior MP frequently vocal on economic matters, had prior knowledge of the incident but refrained from disclosing the information.
This event, noted as the first of its kind in Sri Lanka's history, has garnered significant attention from international media, including BBC, Bloomberg, WION, AFP, and The Guardian.