The Sri Lanka cyber heist exposed failures at the Finance Ministry, Central Bank and PDMO, according to a new COPF investigation.
The Sri Lanka cyber heist involving US$2.5 million resulted from failures across several state institutions, rather than an external attack alone, a COPF report has concluded.
The report says the Central Bank cannot completely distance itself from responsibility for the fraud. It describes the incident as a systemic breakdown involving weak controls, procedures and operations across multiple institutions.
The fraud seriously disrupted the government’s foreign debt repayment process. It has also triggered a dispute between the Finance Ministry and the Central Bank over who should accept responsibility.
The Finance Ministry argues that the Central Bank, as the government’s banker, should have followed anti-money laundering controls more carefully. It says the bank should have identified and stopped suspicious payments.
Ministry officials have also pointed to the limited experience of personnel at the newly established Public Debt Management Office.
However, the Central Bank has rejected those accusations. It says criminals first gained unauthorised access to the Finance Ministry’s email system.
The bank maintains that its role was limited to processing payment instructions already authorised by the Ministry.
Sri Lanka Cyber Heist Exposes Transition Failures
The fraud took place while the government was transferring debt management responsibilities to the new PDMO.
Authorities established the office under the Public Debt Management Act, No. 33 of 2024.
During the 18-month transition period, the institutions had no proper Memorandum of Understanding. They had also failed to establish clear performance indicators.
The report identified serious weaknesses in the Finance Ministry’s cybersecurity systems.
The External Resources Department used a separate email network built on an outdated Microsoft Exchange Server 2016. It did not operate through a centralised government IT system.
Investigators also found that one director approved the multimillion-dollar payments without review by a senior official.
The director allegedly failed to verify the invoices against the original loan agreements before approving the transactions.
ERD officials also did not forward copies of relevant emails to PDMO personnel. This created an information gap that the perpetrators reportedly exploited.
Warning Over UAE Payment Was Not Acted Upon
The Central Bank had previously raised concerns in November 2025 over a payment directed to an account in the United Arab Emirates.
However, senior Finance Ministry officials failed to take appropriate action following that warning, according to the report.
COPF has now issued several recommendations aimed at preventing another attack.
It has called for the National Audit Office to conduct a special audit into the incident.
The committee has also recommended updating outdated financial regulations and enforcing Sri Lanka Computer Emergency Readiness Team cybersecurity standards throughout the public sector.
Another proposal calls for a secure data repository to replace email-based financial transactions.
COPF has also urged the government to introduce a whistleblower protection policy.
The report’s findings suggest that neither the Finance Ministry nor the Central Bank can treat the incident as someone else’s failure.
The US$2.5 million loss exposed weak communication, outdated technology and inadequate oversight across the government’s debt repayment system.
Preventing another Sri Lanka cyber heist will require more than identifying the hackers. It will demand institutional accountability, modern security systems and stronger checks before officials release public money.
