Sri Lanka’s USD 2.5 million Treasury cyber heist has entered a critical phase, with new findings sharpening focus on the role of the Central Bank of Sri Lanka in the country’s debt servicing systemboth historically and during the recent transition to the Treasury.

The fraud, carried out through ten transactions between November 2025 and January 2026, has exposed weaknesses not only in cybersecurity but also in institutional accountability. While attention has been directed at the Treasury’s Public Debt Management Office (PDMO), the timeline of events places significant responsibility on the Central Bank.

For decades, the Central Bank functioned as the government’s primary agent in managing public debt. This included handling external repayments, coordinating with international creditors, and maintaining settlement systems. Its Public Debt Department was central to ensuring the credibility and accuracy of sovereign debt transactions.

That long-standing arrangement changed on January 1, 2026, when debt management operations were formally transferred to the Treasury’s PDMO. However, the transition did not mark a clean break in responsibility.

Evidence presented during parliamentary hearings confirms that seven of the ten fraudulent transactions occurred between November and December 2025, when the Central Bank was still fully responsible for debt servicing. The remaining three transactions took place in January 2026 under the Treasury’s authority.

This overlap has become a key issue in determining accountability.

The fraud targeted funds intended for a bilateral repayment to Australia and was executed using a business email compromise scheme. Hackers exploited weaknesses in communication systems, sending fraudulent payment instructions through a spoofed domain that closely resembled the legitimate creditor’s email address.

Despite the scale and sensitivity of these transactions, standard verification procedures were not followed. There were no test transfers, no independent confirmations, and no escalation of system warnings that had flagged potential risks.

These failures raise serious questions about the effectiveness of internal controls during the Central Bank’s tenure. Given its long-standing experience and established protocols, critics argue that such repeated breaches should have been detected earlier.

The Central Bank’s current role further complicates matters. Its Financial Intelligence Unit is now leading efforts to trace the stolen funds and investigate potential money laundering, in coordination with law enforcement agencies. This has led to concerns about a conflict of interest, as the institution is effectively examining a failure that occurred largely under its own oversight.

The delay in detecting the fraud has also drawn scrutiny. Although irregularities were reportedly identified in January 2026, authorities only confirmed the losses months later after foreign counterparts raised concerns. This delay spans both institutional periods but includes a critical phase when the Central Bank still held authority.

The transition to the PDMO was intended to modernize Sri Lanka’s debt management system. Instead, it has highlighted gaps in coordination, staffing, and oversight. The Treasury has faced criticism for relying on inexperienced personnel, but the Central Bank’s silence regarding its own role continues to raise concerns.

This case unfolds against the backdrop of Sri Lanka’s broader debt challenges following its recent economic crisis. In such a context, the integrity of debt servicing systems is essential not only for financial stability but also for maintaining international confidence.

As investigations continue and calls for independent oversight grow, the focus remains on whether the Central Bank can clearly account for its actions during the period when most of the fraudulent transactions took place.

The post Debt Servicing Failures Span Central Bank and Treasury Transition appeared first on LNW Lanka News Web.