While the average Sri Lankan family is forced to reconcile their monthly survival with the crushing weight of the cost-of-living crisis that refuses to abate, a cool $ 2.5 million has simply evaporated from the national coffers. It did not vanish through a complex market fluctuation or a sudden shift in global trade. It was, quite literally, emailed away. As of late April 2026, the investigation into this missing fortune is moving with the typical, ponderous slowness of a bureaucracy trying to hide its own shame, but the public must not be distracted by the talk of cyber-forensics and Dubai accounts. We must look directly at the catastrophic policy failures that made this heist not just possible, but inevitable.
The official narrative being spun by the Finance Ministry is one of sophisticated hackers and international digital syndicates. This is a convenient fiction designed to mask a much more mundane and infuriating reality: the systematic dismantling of financial safeguards. For years, the Central Bank of Sri Lanka served as the primary, battle-hardened gatekeeper for foreign debt servicing. Its protocols were rigid, its staff were seasoned, and its security layers were designed to withstand exactly this kind of predatory interest. Yet, in an act of institutional hubris that we are only now seeing the full results of, the Government insisted on shifting these critical responsibilities to the Treasury’s External Resources Department.
This was the ‘original sin’ of this scandal. Critics and members of the Committee on Public Finance (COPF) warned the Treasury lacked the technical infrastructure and the culture of rigorous oversight required to handle multimillion-dollar international settlements. Those warnings were ignored. The Government chose to centralise power within a porous, under-equipped department, effectively trading national security for administrative convenience. By stripping away the Central Bank’s oversight, they removed the ‘four-eye’ principle that governs responsible finance. They created a single point of failure, and then they were shocked when that point failed.
The sheer amateurism of the breach is what stings the most. We are told that funds intended for a bilateral repayment to Australia were diverted because of a ‘compromised email’. In any private mid-sized company, a transfer of Rs. 20,000 requires multi-factor authentication, verbal confirmation, and secondary authorisation. The fact that the Treasury was moving millions of dollars based on an unverified email instruction is not a cyber heist; it is a total abdication of duty. It is a level of negligence that borders on the criminal. If a junior clerk at a local bank lost a few thousand rupees, they would be sacked and likely prosecuted within the week. Here, we lose millions of dollars belonging to a bankrupt nation, and the response is a series of polite committee meetings.
Furthermore, the culture of secrecy surrounding the probe is an insult to the taxpayer. The breach occurred between December and January, yet the full gravity of the situation was only dragged into the light months later. Why the delay? Was the Government hoping the money would miraculously reappear? Or were they busy scrubbing the digital paper trail to ensure that the blame would fall only on those low enough on the ladder to be expendable? The suspension of four junior officials is a classic scapegoating tactic. It is the political equivalent of blaming the waiter because the chef poisoned the soup. These officials did not design the flawed systems they were forced to use. They did not make the policy decision to bypass Central Bank security. They are the convenient casualties of a leadership that refuses to take responsibility for its own disastrous choices.
Industry experts have rightly pointed out that this is not just about the missing dollars. It is about the total collapse of Sri Lanka’s financial credibility. We are a nation currently begging for international trust, navigating a fragile recovery with the IMF, and asking creditors to believe in our stability. This incident tells the world that our Treasury is as secure as a sieve. If we cannot manage a routine bank transfer without falling for a basic email scam, why should any international investor trust us with a cent of their capital?
The time for internal technical investigations led by the very people who oversaw the failure has passed. What we need now is an immediate return to Central Bank oversight for all foreign debt servicing. The Government must understand that the public’s patience is not an infinite resource. This is not a digital error; it is a moral calamity. If the heads at the top do not roll, then the entire system is an accomplice to the theft.