“`html

Sri Lanka Lost $3M to Hackers While Repaying Its Debt

Sri Lanka just handed cybercriminals over $3 million in two separate attacks, and the country didn’t even know the money was gone until a foreign agency called to ask where the payment was. This isn’t bad luck. It’s what happens when a government rebuilds its finances without rebuilding its defenses first.

What Just Happened

Days apart, two financial losses hit Sri Lanka’s government. The bigger one involved its brand new Public Debt Management Office, known as the PDMO. Hackers broke into the office’s email system and rerouted debt repayment funds meant for Australia. According to Treasury Secretary Harshana Suriyapperuma, “although the government followed the required procedures and completed the payment, the intended recipient did not receive the money.” The money was stolen in five separate transfers between December 31, 2025, and March 20, 2026, according to official Sri Lankan government statements.

The total taken from the PDMO alone? $2.5 million. According to local Sri Lankan reporting, this is the largest amount of cash ever stolen by hackers from a state institution in the country. Four senior officers at the PDMO have since been suspended. On top of that, a second, separate incident surfaced just days later, pushing total losses past $3 million.

Transparency International’s Sri Lanka chapter called it “a serious lapse of financial oversight,” according to published statements from the organization. Opposition lawmakers are now demanding an independent investigation.

Why This Is Bigger Than Sri Lanka

I want you to think about this clearly. Sri Lanka defaulted on $46 billion in external debt back in 2022, according to the International Monetary Fund. To crawl out of that hole, the country secured a $2.9 billion IMF bailout loan in early 2023. The PDMO itself was set up in 2026 as part of that recovery plan. It’s a brand new office, created specifically to manage debt repayments.

And within months of its creation, hackers walked right through its email system and stole $2.5 million in plain sight.

This is what’s called a Business Email Compromise attack, or BEC. It’s not exotic malware or some Hollywood heist. Criminals intercept legitimate email communications inside a government office and quietly swap out real bank account numbers for fake ones. The staff follows every procedure correctly. The money just goes to the wrong place. By the time anyone notices, the funds are gone.

BEC attacks cost businesses and governments worldwide $2.9 billion in reported losses in 2023 alone, according to the FBI’s Internet Crime Complaint Center. That number is almost certainly low because many victims never report it. Governments are not immune. They’re often easier targets because bureaucratic processes move slowly and nobody questions a payment that looks official.

Here’s what I find infuriating about this story. Sri Lanka wasn’t attacked because it was wealthy. It was attacked because it was vulnerable. A country fighting to stay solvent, managing billions in restructured debt, running a new finance office with probably minimal cybersecurity training and zero real-time payment verification systems. That’s a target. Cybercriminals don’t care about your economic recovery story. They care about your weakest link.

Rich institutions think about security before a breach. Struggling institutions think about it after. That mindset gap is exactly what attackers count on. If you’re running lean, under pressure, and focused entirely on survival, your guard drops. And the moment your guard drops, someone notices.

I’d also point out that the theft was discovered only because an Australian export finance agency reached out to ask why the payment never arrived. Sri Lanka had no internal alert system that caught it. That tells you everything. If Australia hadn’t called, this money might have stayed missing for months longer.

For individuals managing their own finances online, the lesson applies directly. Your email is the front door to your money. Tools like TotalAV antivirus protection can catch phishing attempts and malicious links before they ever get a chance to compromise your accounts. Governments should know this. So should you.

What This Means for You

You might think this is a government problem and not your problem. I’d push back on that hard.

The same attack that hit Sri Lanka’s PDMO hits small business owners, freelancers, and individuals every single day. Someone intercepts your email. They impersonate your bank, your vendor, or your accountant. You follow the instructions because they look completely normal. The money moves. It doesn’t come back.

According to the FBI, the average BEC attack loss per incident in 2023 was over $137,000. You don’t need to be a government treasury to get hit. You just need to have money moving through email.

Here is what I would do right now. First, stop treating your email like a secure channel for financial instructions. It isn’t. Any payment change requests should be verified by phone, using a number you already have on file, not one included in the suspicious email. Second, turn on two-factor authentication for every financial account and every email account you own. Third, run active security on every device you use for financial work. I personally think the Norton security suite is worth it for anyone handling money online, whether you’re a solo operator or running a team. It monitors threats in real time and flags suspicious activity before it becomes a $2.5 million problem.

Fourth, and this is the one most people skip, do a payment verification drill. Pick one of your regular payees and pretend someone just sent you a message asking you to update their bank details. Would your current process catch a fake? If the answer is “probably not,” your process needs work.

Cybercriminals are not geniuses. They’re opportunists. They look for the path of least resistance. Don’t be that path.

The Bottom Line

Sri Lanka built a new debt office to pay back the world. Hackers robbed it in five installments over three months. Nobody noticed until a foreign creditor asked where the money went. This isn’t a Sri Lanka story. It’s a warning. Every institution managing money through email is one intercepted message away from this exact headline. The question isn’t whether attackers will target your financial systems. It’s whether you’ve made it harder than the next target.

Frequently Asked Questions

What is a Business Email Compromise attack?

A Business Email Compromise attack happens when criminals infiltrate or impersonate an organization’s email system. They intercept legitimate payment communications and redirect funds to fraudulent accounts by swapping out real bank details for fake ones. The victim often follows every normal procedure and still loses the money.

How much did hackers steal from Sri Lanka’s government?

Hackers stole $2.5 million from Sri Lanka’s Public Debt Management Office across five transfers between December 31, 2025, and March 20, 2026, according to official government statements. A second separate incident pushed the total government losses past $3 million within the same period.

Why was Sri Lanka’s Public Debt Management Office created?

The PDMO was established in 2026 as part of Sri Lanka’s recovery from its 2022 debt crisis, during which the country defaulted on $46 billion in external debt, according to the International Monetary Fund. It was set up under the terms of a $2.9 billion IMF bailout loan secured in early 2023 to manage the country’s debt restructuring process.

How can individuals protect themselves from the same type of attack?

The most important step is to verify any payment or banking change request by phone using a number you already have on file, never one provided in the suspicious message. Turning on two-factor authentication and running active security software on all devices used for financial tasks significantly reduces your exposure to this type of fraud.

Are government institutions common targets for cybercrime?

Yes, and they’re often easier targets than private companies because bureaucratic systems move slowly and rarely have real-time payment verification in place. According to the FBI’s Internet Crime Complaint Center, BEC attacks cost victims worldwide $2.9 billion in reported losses in 2023 alone, with governments and public institutions making up a notable share of those cases.

“`