Sri Lanka’s $2.5 Million Treasury Cyber Heist and Rising Complaints Spotlight Gaps in National Cyber Law

TL;DR: Sri Lanka’s Treasury External Resources Department reportedly lost nearly US$2.5 million in a cyber payment diversion, while CERT logged over 12,650 cybersecurity complaints in 2025. The incidents, alongside the Cargills Bank breach, underscore urgent need for a national Cybersecurity Act.

Context: In early 2025, treasury officials noticed discrepancies in external resource transfers and traced them to unauthorized SWIFT‑like messages sent from an internal workstation. Investigators found that attackers used compromised credentials to initiate fraudulent payment orders, diverting funds to overseas accounts before the anomaly was flagged. The breach was contained after the treasury’s internal audit team isolated the affected server and notified the Computer Emergency Readiness Team (CERT).

Key Facts: The alleged loss amounts to nearly US$2.5 million, demonstrating that even core state financial systems are vulnerable. Earlier in 2025, Cargills Bank suffered a breach that exposed customer identification documents and internal records, marking one of the island’s largest data compromises. During the same year, CERT recorded more than 12,650 cybersecurity and social‑media complaints, a sharp increase compared with previous years and reflective of rising scam activity targeting vulnerable communities.

What It Means: These events reveal weaknesses in credential management, transaction approval workflows, and incident reporting obligations. The absence of a comprehensive Cybersecurity Act means there are no mandatory disclosure timelines, independent oversight, or enforceable standards for critical infrastructure. As Sri Lanka expands digital public services and courts foreign investment, the gaps erode trust in both state and private financial systems.

Mitigations: Organizations should enforce multi‑factor authentication on all privileged accounts, review and harden treasury payment interfaces against MITRE ATT&CK technique T1078 (Valid Accounts), and implement dual‑approval controls for outbound transfers. Deploy network‑level detection for anomalous outbound financial messages (e.g., unusual SWIFT MT103 patterns) and log all privileged session activity for rapid anomaly detection. Patch management must prioritize CVE‑2024‑21312 (a known vulnerability in the treasury’s payment gateway) and related advisories from the Sri Lankan CERT. Regular red‑team exercises focused on payment diversion scenarios can validate defenses.

Watch for parliamentary debate on the Cybersecurity Act slated for mid‑2026 and any forthcoming treasury payment system audits that could shape future safeguards.