Sri Lanka's Finance Ministry Breached: Hackers Steal $2.5M From Debt Repayment Fund

A cyberattack on Sri Lanka's finance ministry has diverted $2.5 million in sovereign debt repayment funds into unknown bank accounts, making it the largest cyber theft ever recorded from a state institution in the country.

The breach, reportedly carried out sometime in January 2026, only came to light after Australia complained it had not received payment.

What Was Stolen, and From Where?

Hackers infiltrated the computer systems of Sri Lanka's finance ministry and redirected $2.5 million that was earmarked as a bilateral debt repayment to Australia, with a settlement originally due in September 2025. The funds never reached Canberra.

How Did the Hackers Do It?

Investigators believe the attackers tampered with email-based payment instructions within the sovereign debt payment process.

By altering bank account details in outgoing instructions, the funds were quietly rerouted. The precise method of entry into the ministry's systems has not yet been confirmed publicly.

How Was the Theft Discovered?

Sri Lankan officials reportedly detected the missing funds only after the Australian creditor flagged that its payment had never arrived.

The scale of the breach became clearer when cyber criminals allegedly attempted to divert another payment due to India, raising red flags over altered account details.

Who Is Being Held Accountable?

Finance ministry secretary Harshana Suriyapperuma told reporters that four senior officers at the Public Debt Management Office (PDMO) have been suspended.

Suriyapperuma reportedly said criminal investigators were involved and that foreign law enforcement assistance was being sought.

What Is Australia's Response?

Australian High Commissioner to Sri Lanka, Matthew Duckworth, confirmed on X that Canberra was aware of irregularities in payments owed to it.

According to Duckworth, Sri Lankan authorities are coordinating with Australian officials, who are actively assisting the investigation.

Why Is This Particularly Damaging for Sri Lanka?

Sri Lanka is still recovering from a catastrophic economic crisis in 2022, when Colombo defaulted on its $46 billion external debt and the country ran out of foreign exchange reserves, triggering food and fuel shortages.

The PDMO itself was established this year under an IMF-backed $2.9 billion bailout framework. A cyberattack on the very office managing that debt repayment is a significant institutional blow.

Could This Have Been Prevented?

Ironically, according to AFP, Sri Lanka's central bank and finance ministry had launched an advertising campaign in local newspapers earlier this year warning citizens against falling prey to cyber scams, even as the ministry's own systems were compromised.

Officials are now investigating how multiple internal control mechanisms failed simultaneously.

The bigger question is whether the $2.5 million can be recovered at all, and what this breach signals about the vulnerability of sovereign financial systems to increasingly sophisticated cyber criminals.

(With inputs from yMedia)