The alleged diversion of Sri Lanka’s $2.5 million debt repayment is unlikely to be a simple “hack,” but rather a case of a compromised payment process, where weak verification layers, email-based instructions, and insufficient system segregation created an opening for fraud, a fintech expert told The Island Financial Review.
He pointed out that in cross-border public payments, especially sovereign debt servicing, transactions typically moved through multiple controlled layers: payment instruction generation, authentication, bank routing (often via SWIFT), and final settlement.
Elaborating on the matter, he noted, “For funds to ‘miss’ the intended creditor and reach a third party, one of two things must happen: either the payment instructions themselves are altered before execution, or the beneficiary details are fraudulently substituted during the approval chain. The reports I see suggest a Business Email Compromise (BEC) scenario rather than a deep, system-level cyber intrusion.”
“In such attacks, hackers gain access to or spoof official email accounts and send seemingly legitimate payment instructions with altered bank details. If Treasury officials relied on email as a trusted channel without independent verification, such as callback protocols or cryptographic authentication, the system could have been easily deceived. This is not a failure of encryption in transit; emails may still be encrypted. The failure probably lay in identity assurance and process integrity.”
When asked whether end-to-end encryption would have prevented this, he said, “Encryption protects data from interception, but it does not confirm that the sender is genuine or that the instructions are legitimate. What is required here is a zero-trust architecture, meaning every instruction must be verified independently, regardless of the source. Modern Treasury systems, including those at commercial banks, use multi-factor authentication, digital signatures, and secure payment gateways integrated directly with banking systems – removing the reliance on email altogether.”
“Another technical gap appears to be the lack of straight-through processing (STP). In well-designed sovereign payment systems, payment instructions flow directly from Treasury platforms to Central Bank or correspondent bank systems through secure APIs or SWIFT interfaces, with minimal human intervention. If manual steps, such as email confirmations or document attachments, are still embedded in the workflow, they create vulnerabilities.”
“The institutional transition of debt management functions away from the Central Bank may also have introduced operational fragmentation. If there isn’t a unified digital infrastructure and clearly defined control points, accountability gaps emerge.”
“Given that President Anura Kumara Dissanayake also holds the digital infrastructure portfolio, and with advisory leadership from Dr. Hans Wijesuriya, this incident raises questions about execution rather than intent. A country pursuing a digital economy must ensure that its most sensitive financial operations are built on secure, interoperable, and audited platforms.”
“In practical terms, a better-coordinated strategy between the Finance Ministry and digital infrastructure authorities could have enforced mandatory secure channels, real-time transaction monitoring, and anomaly detection systems. Large-value sovereign payments should trigger automated red flags if beneficiary details change or deviate from historical patterns.”
“Ultimately, this episode underscores that digital transformation is not just about adopting technology – it is about redesigning processes, enforcing trust frameworks, and eliminating legacy practices like email-based approvals. Without that, even the most well-intentioned digital agenda remains exposed to very analog fraud,” he concluded.
By Sanath Nanayakkare