Sri Lanka is trying to recover $2.5 million after a cyberattack on the Finance Ministry’s payment system redirected funds away from their intended recipient, exposing fresh weaknesses in the country’s public financial controls. Officials say the breach involved email manipulation, and the issue surfaced after opposition lawmakers alleged that treasury money had landed in a hacker’s account instead of reaching the correct creditor. The incident has prompted a high-level probe, with authorities treating it as both a financial loss and a serious security breach.
According to finance ministry secretary Harshana Suriyapperuma, cybercriminals were first detected trying to enter the External Resources Department’s system in January 2026, and the ministry took steps with overseas partners to stop further damage. He said the earlier attempt was contained, but the later payment breach still led to losses that are now under review. The stolen amount formed part of a larger $22.9 million payment, with $2.5 million reportedly disbursed between December 2025 and January 31, 2026.
The incident has drawn wider attention because it involves government debt repayment funds and an apparent failure in payment verification. Australia’s high commissioner in Sri Lanka said Canberra was aware of irregularities in payments owed to it, and Australian officials are assisting the investigation. That international angle has made the breach more sensitive, since the diverted funds were tied to a sovereign obligation rather than a routine domestic transaction.
A high-powered committee has been formed to investigate the hacking incident and identify how the payment was rerouted. Opposition lawyers have also asked Parliament to examine the matter, arguing that public finances fall under legislative oversight. The issue has been raised before the Committee on Public Accounts, adding political pressure on the government to explain how the breach happened and whether more funds may have been exposed.
The episode is a damaging reminder that cyberattacks can hit not just banks and companies but also state payment systems handling international debt obligations. For Sri Lanka, which is still recovering from its severe economic crisis and debt default, even a single diverted payment can deepen concerns about administrative safeguards and digital resilience. The investigation will likely focus on email security, approval controls, and how quickly suspicious payment changes were detected.