Sri Lanka’s unfolding USD 2.5 million Treasury cyber heist has rapidly evolved into more than a case of digital fraud. It now raises deeper institutional questions particularly about the role and accountability of the Central Bank of Sri Lanka (CBSL) during a critical transition in the country’s debt management framework.
The fraud, executed through ten transactions between November 2025 and January 2026, targeted funds intended for Australia’s export finance agency. While public attention has largely focused on the Treasury’s newly established Public Debt Management Office (PDMO), emerging evidence places significant responsibility on the Central Bank, which managed external debt servicing for years prior to January 2026.
According to findings presented before the Committee on Public Finance (COPF), seven out of the ten fraudulent transactions were processed between November and December 2025 squarely within the Central Bank’s operational period. Only three transactions occurred after January 1, 2026, when the Treasury formally assumed control through the PDMO. This timeline complicates any attempt by the Central Bank to distance itself from the scandal.
Despite maintaining public silence, the Central Bank’s involvement is not limited to historical oversight. Its Financial Intelligence Unit (FIU) is currently leading the international investigation into the stolen funds, working alongside the Criminal Investigation Department. This dual role as both a key institution during the breach and a lead investigator afterward has drawn criticism from transparency advocates who question whether an independent probe is being compromised.
The mechanics of the fraud reveal systemic failures across institutions. Hackers exploited a business email compromise scheme, using a spoofed domain to impersonate the Australian creditor. Payment instructions were altered without adequate verification. Investigators have confirmed that internal warnings about suspicious communications were issued but ignored.
Crucially, officials failed to perform basic safeguards such as test transactions or direct confirmation with the recipient agency. These lapses allowed fraudulent payments to proceed through multiple approval layers unchecked. By the time Australian authorities flagged the missing funds, the damage had already been done.
Oversight hearings have also exposed structural weaknesses during the transition period. The Treasury has been criticized for staffing the PDMO with inexperienced personnel, replacing seasoned Central Bank officials at a sensitive moment. However, this does not absolve the Central Bank. Experts argue that a proper transition should have included parallel oversight, knowledge transfer, and risk mitigation none of which appear to have been effectively implemented.
Further controversy surrounds delayed reporting. Although red flags reportedly surfaced in January 2026, formal complaints were only lodged in late March. This delay allowed the fraudulent scheme to continue longer than it might have otherwise.
Legal and administrative fallout has followed. The Colombo Fort Magistrate’s Court has imposed overseas travel bans on five officials linked to the PDMO and External Resources Department. Four senior officers have been suspended, while the death of one suspended official has added a tragic dimension to the case, raising concerns about pressure within the public service.
Meanwhile, civil society groups such as the Free Lawyers Organisation are calling for a broader investigation through the Committee on Public Accounts, arguing that existing probes lack transparency and urgency.
As the country awaits further official statements on recovery efforts and accountability measures, a central question remains unresolved: can the Central Bank, which oversaw the majority of fraudulent transactions, credibly position itself as merely an investigator?
By a Special Correspondent