The Treasury fund fraud reported earlier this week was a sophisticated phishing and impersonation scam rather than a direct system hack, Deputy Digital Minister Eng. Eranga Weeraratne said on Friday — the government’s most authoritative technical characterisation of the incident yet.
Weeraratne told reporters that fraudsters allegedly created a fake domain and email addresses resembling those of the international company involved in the transaction, using names similar to actual officials to mislead authorities into making the payment. Investigations are ongoing across multiple agencies, including the Sri Lanka Computer Emergency Readiness Team (SLCERT), the Central Bank and other state institutions, to trace the recipient accounts and identify those responsible.
He said authorities remain hopeful of recovering the diverted funds through the banking trail left by the transaction.
In a later briefing on Friday evening, Weeraratne said suspicions had emerged over whether internal support within the institution may have played a role in the diversion, even as investigators continue to attribute the loss primarily to external impersonation. He clarified that officials do not believe the incident necessarily involved direct internal participation but rather “a failure to identify subtle differences in communication that enabled the deception.” A comprehensive report will be issued once the inquiry is finalised, he said.
Opposition: ‘gross incompetence’
Opposition MP Harsha de Silva separately rejected the framing of the loss as a hack, calling it the result of “gross incompetence” rather than a sophisticated cyberattack. Standard financial controls appeared to have been ignored, he said: ordinary transactions are typically verified before large sums are released, and a small test payment should have been made to confirm the destination account before millions were transferred.
De Silva said payment instructions and bank account details should also have been checked against the original contract — safeguards he described as common practice. He said the issue could not be dismissed as money “going missing” and that the Committee on Public Finance is expected to examine the incident.
Context
The phishing/impersonation framing is qualitatively distinct from the “hacker fraud” language used in earlier government statements about the $2.5 million loss involving a payment intended for the Australian Export Finance Agency. It also contrasts with Dilith Jayaweera’s “cannot be attributed to hackers” framing earlier this week, which implied insider failure.
Sajith Premadasa has called for a Parliamentary Select Committee probe, and Free Lawyers’ Collective has demanded the Treasury Secretary’s resignation. Five Treasury officials have already been interdicted.
Treating the incident as business email compromise rather than a system breach narrows the recovery channels — banking-trail tracing, mutual legal assistance and SWIFT-level coordination become the primary tools, rather than any forensic of the Treasury’s own IT systems.
