The alleged diversion of Sri Lanka’s $2.5 million debt repayment was “unlikely to be a simple hack” but more consistent with a Business Email Compromise (BEC) exploiting weak verification in the payment workflow, a fintech expert told The Island Financial Review.
Speaking to the newspaper, the analyst said cross-border sovereign debt servicing typically moves through controlled layers — payment instruction generation, authentication, bank routing (often via SWIFT) and final settlement. “For funds to ‘miss’ the intended creditor and reach a third party, one of two things must happen: either the payment instructions themselves are altered before execution, or the beneficiary details are fraudulently substituted during the approval chain.”
The expert said the publicly reported indicators point to BEC rather than a deep system-level intrusion. In such attacks, attackers access or spoof official email accounts and issue instructions with altered bank details. “If Treasury officials relied on email as a trusted channel without independent verification, such as callback protocols or cryptographic authentication, the system could have been easily deceived,” the analyst said. The failure, he argued, lay “in identity assurance and process integrity,” not encryption in transit.
Encryption alone would not have stopped the diversion, he added, pointing instead to a zero-trust architecture in which every instruction is independently verified. Modern treasury systems at commercial banks use multi-factor authentication, digital signatures and secure gateways integrated with banking systems, eliminating reliance on email.
The analyst also flagged the absence of straight-through processing (STP). Well-designed sovereign payment systems push instructions directly from Treasury platforms to the Central Bank or correspondent banks via secure APIs or SWIFT with minimal human touch. Embedded manual steps — email confirmations, document attachments — become vulnerabilities.
He noted the recent institutional transition of debt management functions away from the Central Bank may have introduced operational fragmentation. With President Anura Kumara Dissanayake holding the digital infrastructure portfolio and Dr. Hans Wijesuriya advising, he said the incident raises questions “about execution rather than intent.”
The $2.5 million diversion was detected when an Australian Export Finance Agency repayment failed to reach the counterparty. COPF Chair Harsha de Silva has flagged the incident as a potential technical default trigger.
