Sri Lankan authorities only became aware of the USD 2.5 million Treasury cyber theft after Australian officials questioned a delay in a debt-servicing payment owed to them, New Democratic Front MP and Committee on Public Finance member Ravi Karunanayake told Daily Mirror ahead of Thursday’s parliamentary hearing.
Karunanayake said five separate payments fell due — three in November 2025 and two in January 2026 — relating to interest instalments on a USD 22.9 million bilateral loan from Australia. “The Australian authorities questioned the delay in settlement. Only then did the government realise that something had gone wrong,” he said.
The disclosure points to a gap in internal detection at the Treasury and Central Bank, with the breach going unnoticed until an external creditor raised a red flag. Finance Ministry Secretary Dr. Harshana Suriyapperuma is scheduled to face the COPF at 1pm Thursday to explain how the funds were diverted by fraudsters who breached Finance Ministry email systems.
Karunanayake further argued that the Central Bank should bear responsibility for at least part of the failure. Three of the disputed transactions occurred when the Public Debt Department (PDD) was still under CBSL’s supervision, before its functions were transferred to the new Public Debt Management Office under the Public Debt Management Act No. 33 of 2024. The Central Bank closed its PDD and shifted the LankaSecure division to the Payments and Settlements Department effective 1 January 2026.
The investigation into the cyber heist is being conducted with assistance from the Australian Federal Police. Deputy Minister Anil Jayantha is expected to deliver a special parliamentary statement on May 5.
Source: Daily Mirror.
