The alleged US$2.5 million loss from Sri Lanka’s Treasury has triggered a widening debate over whether the incident was a sophisticated cyberattack or a case of basic administrative negligence, with opposition leaders accusing the government of obscuring the truth.
Opposition MP Harsha de Silva has strongly criticized the government’s handling of the case, arguing that the evidence points to fundamental failures in financial discipline rather than advanced hacking techniques. He said that in standard practice, large international transfers require multiple layers of verification, including confirmation of beneficiary details and small test payments before full disbursement.
Dr. de Silva questioned why such safeguards were not applied, suggesting that the loss could have been easily prevented. He emphasized that payment instructions and bank account details should have been strictly verified against original contractual documents. In his view, the absence of these controls reflects negligence rather than cyber sophistication.
He further rejected attempts to downplay the incident, stating that public funds were clearly lost and that accountability must follow. He has called for the matter to be formally debated in Parliament, with the Committee on Public Finance expected to investigate how such a failure occurred within a key state institution.
The government, however, maintains that the incident involved external cyber deception. Treasury Secretary Harshana Suriyapperuma confirmed that hackers breached email communications in January 2026 and manipulated instructions within the External Resources Department. He said the intrusion was detected internally and reported immediately to law enforcement and cybersecurity agencies.
Deputy Minister Eranga Weeraratne offered a different perspective, stating that the attack relied on impersonation and fake email identities rather than direct system penetration. Fraudsters allegedly used convincing digital replicas of official communication channels to mislead staff into authorising transfers.
Deputy Finance Minister Anil Jayantha Fernando added that hackers accessed sensitive information through compromised emails and altered banking details to redirect funds. He also confirmed that internal investigations have already led to disciplinary measures against several officials.
Authorities, including the Sri Lanka Computer Emergency Readiness Team, the Central Bank of Sri Lanka, and the CID, are now working alongside international partners such as Interpol to trace the stolen money.
However, critics argue that the four-month delay in disclosing the incident raises deeper concerns about transparency. They claim that the government’s inconsistent explanations may reflect an attempt to manage public perception rather than fully disclose operational failures.
At the heart of the controversy lies a fundamental disagreement: whether Sri Lanka was hit by a sophisticated international cyber operation, or whether internal weaknesses and procedural failures enabled the loss. Until a clear and unified account is established, questions over accountability—and trust in financial governance are likely to persist.
By a Special Correspondent