• Experts warn weak governance, poor awareness leaving State systems exposed 
• Officials say ransomware, phishing, business email compromise on the rise
• SL’s digital transformation outpacing cybersecurity preparedness
• AI-driven scams, deepfakes creating new challenges for authorities
• Cyber experts warn repeated breaches could damage SL’s global digital reputation
• Lack of trained cybersecurity personnel in State sector under scrutiny
• Sri Lanka CERT says human vulnerability remains weakest link in cyber defence

Over the past six years, Sri Lanka’s ambitious leap towards digital transformation has been mirrored by an equally aggressive and sophisticated surge in cybercrime. 

What began at the turn of the decade as localised hacktivism has rapidly mutated into a high-stakes arena of State-level disruption and devastating financial heists. 

As the nation integrated digital payments, expanded its digital public infrastructure, and shifted critical Government operations online, its vulnerabilities became prime targets for global and domestic threat actors alike.

Sri Lanka has experienced a significant rise in cybersecurity incidents with major threats including ransomware, Business Email Compromise (BEC), and data breaches targeting critical infrastructure, Government networks, and the financial sector.

Current cybersecurity landscape  

When contacted by The Sunday Morning, Digital Trust Alliance (DTA) President Lakmal Embuldeniya described Sri Lanka’s current cybersecurity landscape as being in “pretty bad shape,” highlighting that the country’s rising push towards digital transformation had made safeguarding national systems more crucial than ever.

Cyberattacks against Sri Lankan institutions are not a sudden or entirely new development, but have been surfacing and becoming more evident as a result of regulatory pressure and reporting requirements imposed in recent years. 

He cited the measures implemented by the Central Bank of Sri Lanka through the Regulatory Framework on Technology Risk Management and Resilience for banks and financial institutions in 2021, where organisations were required to establish cybersecurity controls, appoint a Chief Information Security Officer (CISO), and report cybersecurity incidents.

“These issues were there even post-Covid. There were ransomware incidents and breaches, but they never surfaced publicly like now because there was no regulatory pressure to disclose them. However, institutions are now accountable to share this information with the public. Cyberattacks have not increased suddenly; they have always been there,” he explained. 

At a time when Sri Lanka is rapidly digitising and promoting digital services, online banking, and digital identification systems, Embuldeniya stressed that the cyber threats that targeted Government institutions and e-governance systems posed a serious risk as such attacks could affect the public trust in the country’s digital domain. 

“Repeated and increased cyber incidents leave quite an impact on a country’s digital footprint and digital reputation globally. Sri Lankan IP addresses could be blacklisted,” Embuldeniya noted, adding that if cyberattacks continued to originate within the country, Sri Lanka could be viewed with suspicion by foreign organisations and networks, leading to reputational consequences.

“We do not have a proper process to get system updates and upgrades. We also do not have a proper methodology to allocate sufficient budgets to maintain existing systems. These are key problems. Around 10 years ago, Sri Lankan agencies were investing enough in cybersecurity infrastructure, but as far as I know, these investments are insufficient at present,” he acknowledged.

He further stated that cybersecurity expertise in the Government sector was near zero and many officials managing digital systems did not have sufficiently comprehensive training in cybersecurity.

“People who run these systems do not have much training in cybersecurity. They might have insight in general IT knowledge, but it’s very rare to find officials who are aware about the cybersecurity posture, how to secure a system, and what principles to apply. Safeguarding these digital systems is being overlooked, especially in the Government sector,” Embuldeniya said.

Regarding the motivations behind cyberattacks, Embuldeniya indicated that they were mostly aimed at disruption rather than being financially motivated, with their focus being to tarnish the country’s reputation. As Government institutions are unlikely to pay ransomware demands, the majority of these attacks are said to focus on disruption and reputational damage.

As solutions, Embuldeniya emphasised the critical need for nationwide cybersecurity awareness campaigns, fostering collaboration among Government agencies and military and independent experts, and significantly higher investments in cybersecurity infrastructure and protection mechanisms. “I believe that we have sufficient regulatory backing and the legal system to take action. But these are neither proactive nor are they preventing crimes from happening,” he said.

Key incidents between 2020 and 2026

Based on reports compiled by various domestic news outlets and official advisories from the Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT), several events over the course of the past six years highlight the cyberattacks faced by the country.

1. In May 2020, over a 48-hour window corresponding to the anniversary of the end of the civil war, a hacking collective identifying as the Tamil Eelam Cyber Force systematically breached and defaced more than 10 high-profile State portals. 

The front pages of the websites of the Presidential Secretariat, Ministry of Public Administration, and Embassy of Sri Lanka in China were wiped and replaced with political messaging. This incident exposed a lack of centralised security oversight for websites hosted under the ‘gov.lk’ registry. 

1. During that same month, the nation’s primary telecommunications provider, Sri Lanka Telecom (SLT), was also hit by a targeted deployment of the REvil (Sodinokibi) ransomware. The attackers managed to encrypt a portion of SLT’s internal administrative servers. 

SLT’s IT division rapidly isolated the infected internal systems to prevent lateral movement across the network. Local news reported a brief disruption in administrative services, but core customer connectivity (broadband, fixed lines) and subscriber personal data remained functional and uncompromised.

1. In February 2021, cybercriminals successfully executed a Domain Name System (DNS) spoofing attack targeting the localised Google domain (Google.lk), alongside several major domestic corporate sites. For several hours, users attempting to access Google within Sri Lanka were rerouted to a malicious server hosting a defaced landing page created by international hackers. 

Domestic tech reporting highlighted that the attack did not breach Google’s corporate infrastructure itself; instead, it illegally manipulated the external directory maps, routing local traffic to Google’s servers. 

1. On 18 May 2021, a website of a diplomatic mission operating in Sri Lanka as well as the websites of the Health Ministry, Energy Ministry, and the Rajarata University were affected by a cyberattack. This attack was also reported to have been conducted by an entity calling itself the Tamil Eelam Cyber Force. 
2. On 3 June 2021, the official website of then Prime Minister Mahinda Rajapaksa was hacked. The Information Technology Society of Sri Lanka (ITSSL) said that the Prime Minister’s website had been hacked in a manner in which any visitor to the website would be redirected to another website which displayed content related to bitcoin cryptocurrency. 
3. In August 2023, cybercriminals targeted the Lanka Government Cloud (LGC) 2.0 system, managed by the Information and Communication Technology Agency (ICTA). This stands as Sri Lanka’s most operationally severe data loss. 

The ransomware completely encrypted the centralised cloud databases, resulting in the permanent and unrecoverable destruction of over three months of official Government emails (spanning 17 May to 26 August 2023). Over 5,000 top-tier institutional email accounts – including the central Cabinet Office – were wiped out. 

This attack revealed that the cloud infrastructure was operating on an obsolete, unpatched version of Microsoft Exchange 2013, which had well-documented software gaps, and the Government’s automated backup system had failed to trigger properly since May 2023, leaving IT teams with no offline recovery options. Ultimately, the State was forced to rely on fragmented local computer caches to piece back together vital administrative files. 

1. In March 2025, Cargills Bank PLC suffered a massive cyberattack and data breach involving approximately 1.9 terabytes of data and over 1.1 million files, allegedly compromised by the Hunters International ransomware group. The leak exposed sensitive records including National Identity Card (NIC) copies, passport details, and staff signatures. 
2. From 2024 to 2025, the Department of Posts fell victim to a prolonged BEC. Over a two-year period, attackers intercepted and spoofed email instructions related to international postal settlement obligations. Nine fraudulent emails were exchanged, successfully diverting funds into unauthorised third-party accounts. 

The illicit transfers happened in three phases: approximately $ 900 in 2024; $ 435,864 in February 2025; and $ 190,891 in October 2025. The discrepancy was flagged when the United States Postal Service (USPS) notified local authorities that the funds had never arrived, sparking a massive investigation. 

While the Criminal Investigation Department (CID), Sri Lanka CERT, and the University of Colombo are investigating the breach, Sri Lanka CERT has been granted permission to conduct forensic on-site inspections of the Department of Posts’ email system in Colombo. 

1. In January 2026, under a high-stakes financial compromise, hackers successfully intercepted a sovereign debt repayment settlement process managed by the Ministry of Finance’s External Resources Department (ERD). A sum of $ 2.5 million – intended as a bilateral debt repayment instalment to the Australian Government – was entirely misrouted to fraudulent accounts. 

As confirmed by Finance Ministry Secretary Dr. Harshana Suriyapperuma at a national press conference, the attackers intercepted and diverted the money to fraudulent third-party bank accounts

Having taken advantage of an ERD official who was physically away on leave, the hackers hijacked active transaction threads. They altered the destination international bank routing codes, causing the Treasury to unknowingly wire the $ 2.5 million into rogue accounts spanning Dubai and Delaware. It was reported that investigators from Canberra, Australia, and the International Monetary Fund (IMF) were brought in to audit the Treasury’s digital architecture following the heist. 

1. In May 2026, the Chennai branch of the country’s National Carrier, SriLankan Airlines, became the one of the latest high-profile casualty of vendor email spoofing. A routine operational payment of AED 974,500 (roughly Rs. 80 million) was entirely diverted to an incorrect bank account. 

Independent fact-checking and Police reports published by Fact Crescendo Sri Lanka showed that hackers compromised the communication platform of a Dubai-based service provider that works with the airline. The attackers generated a fraudulent corporate invoice with altered bank routing details, tricking the airline’s financial department into sending the Rs. 80 million payment directly to a rogue bank account in Abu Dhabi. 

1. Finally, the most recent of such cyberattacks took place in May 2026. While it was not an attack on local networks, international cybercrime syndicates actively moved operations into Sri Lankan territory, using it as a staging ground for global digital scams. In a massive country-wide raid, Sri Lankan law enforcement, Immigration, and Customs officials dismantled organised hubs inside rented commercial buildings and luxury estates, arresting over 1,000 foreign nationals. 

It was noted that these international operations shifted to Sri Lanka to take advantage of flexible tourist visa rules and highly stable, fast commercial internet infrastructure. These compounds were used to execute high-value digital crypto scams and ‘pig-butchering’ operations targeting victims all over the world. 

Cyberattacks vs. cyber scams

Sri Lanka CERT Lead Information Security Officer Charuka Damunupola told The Sunday Morning that Sri Lanka had witnessed a considerable increase in cyber-enabled crimes over the past few years, particularly between 2024 and 2026, although large-scale cyberattacks remained comparatively low in numbers.

Damunupola noted that cyberattacks and cyber-enabled scams should be regarded separately, pointing out that direct cyberattacks (pure cybercrimes) fell under the Computer Crime Act, whereas scams also known as cyber-enabled crimes or indirect cybercrimes involved the usage of the internet or a computer network.

“Cyberattacks and scams are two different things. Cyberattacks are serious concerns like ransomware, website compromises, and server compromises, while scams or cyber-enabled crimes are conducted using the internet and computer networks. Scams have risen over time, but compared to that, the number of cyberattacks is relatively very low,” he explained. 

Damunupola pointed to human vulnerabilities as the weakest link in cybersecurity, noting that attackers often used social engineering tactics to manipulate humans to compromise systems. 

“In any cyberattack, humans are the weakest link. That is why there should be increased awareness, since hackers or attackers tend to manipulate human nature using social engineering tactics which eventually lead to a compromise in a system. Regardless of how many technical controls and processes are in place, the human factor must also be considered in terms of strengthening cybersecurity,” he said.

Cybersecurity policies

Sri Lanka CERT functions as the focal point for reporting any cybersecurity incident, especially in the Government sector, while also implementing national-level cybersecurity strategies and policies among Government organisations. As explained by Damunupola, among its initiatives, Sri Lanka CERT has been overseeing the implementation of the National Cyber Security Strategy and cybersecurity policies targeting Government organisations. 

In a direct counter-offensive against escalating digital threats, the Government officially launched its National Cyber Security Strategy (2025–2029), pairing long-term policy with 24/7 operational defence. Under a directive approved by the Cabinet, the policy establishes a comprehensive legal and administrative framework designed to transition State machinery into a resilient, zero-trust digital ecosystem. 

The cornerstone of this updated strategy is the newly inaugurated National Cyber Security Operations Centre (NCSOC), which serves as a dedicated 24-hour threat-monitoring hub. It explicitly mandates the integration and real-time monitoring of 37 Critical Information Infrastructure (CII) organisations – spanning vital civilian domains like immigration, public finance, taxation, and motor traffic – to neutralise web-borne cyber threats, financial scams, and corporate espionage before they can compromise national security or disrupt the country’s economic recovery.

 Generative AI and cyberattacks

Embuldeniya also warned that the rapid advancement of Artificial Intelligence (AI) would make cyberattacks far more difficult and challenging to control and prevent in the future. “With Generative AI, computers are increasingly becoming more intelligent. Now you do not even need to have expertise to hack because of tools like Agentic AI. It is becoming easier for someone to compromise a system than to secure it,” he said. 

Damunupola too warned that advancing technologies, specifically AI, were being increasingly utilised to commit cybercrimes at present. He elaborated: “We see a lot of misuse of AI-related technologies, including the creation of deepfakes, manipulated photos resulting in cyber sexual harassment, hate speech, and spreading of misinformation and disinformation. Also, in some sophisticated cyberattacks like ransomware, we are witnessing the involvement of AI to generate certain malware.”

Meanwhile, cybersecurity and AI policy expert Asela Waidyalankara said that the cybersecurity landscape remained uneven across sectors, with certain industries or sectors having far better digital maturity than others. He added that sectors such as banking and telecommunication had developed and advanced cybersecurity systems, while other sectors including certain State organisations remained less well equipped. 

“If you take the last five to seven years, there has been some momentum around digitisation and digital transformation in the country. Certain sectors have digitised quite fast. We have had fairly decent smartphone penetration in the country. Within that backdrop, the cyber risk has also increased,” he said, explaining that with increasing digital adoption, cyber risks also naturally increased. 

Warning about the expanding role of AI in cybercrimes, Waidyalankara said that AI had considerably accelerated cyber threats by making attacks cheaper, faster, and more personalised. “As seen globally, cybercriminals in Sri Lanka are also using extensive AI tools. AI has accelerated cybersecurity concerns and vulnerabilities further,” he said.

Despite the concerns about AI-accelerated cyber threats, Waidyalankara stressed that Sri Lanka’s major challenge was the failure to address the fundamentals of cybersecurity governance.

Institutional negligence  

Waidyalankara also suggested that Sri Lanka’s 2022 economic crisis may have drawn increased attention from cybercriminals due to international reporting on the situation. He noted that breaches in State institutions could not be understood solely as technological failures, arguing that the key problem was the tendency of many institutions to treat it as an ‘IT problem’ rather than a larger governance issue. 

“People still think it is an IT problem, but it is not. Cybersecurity is a far more in-depth discipline involving technology, processes, and people working together. The real issue is that we are not paying enough attention to training people and having proper processes and governance around IT and cybersecurity. Without that, these problems will continue,” he stressed.

Waidyalankara identified human vulnerability and lack of awareness as the most common and easily exploited weaknesses that could compromise Sri Lankan institutions, particularly in the State sector. Referring to recent phishing and BEC incidents, he noted that many breaches occurred as a result of people unknowingly exposing their credentials or falling victim to fraudulent communications rather than sophisticated hacking.

“The human element of cybersecurity is the weakest link. There is still ignorance around that. With the most recent BEC incidents, a lack of training was clearly evident. If they had been properly trained, they would have been able to spot such errors faster. There is a significant gap and weakness around awareness and the human aspect of cybersecurity,” he stated.

Waidyalankara highlighted that while Sri Lanka had highly competent cybersecurity professionals in industries like banking, telecommunication, and software services, there was still a considerable shortfall of such individuals within Government organisations.

“In State institutions, apart from Sri Lanka CERT, I do not think there are many people working in cybersecurity. Globally, there is a shortage of cybersecurity professionals,” he said, adding that the private sector attracted experienced cybersecurity professionals mostly due to remuneration and salary scales that were significantly higher.

He further explained that to address the issue, the State should consider establishing a cadre of cybersecurity professionals within the State structure. He also suggested a methodology to allow salary scales similar or comparable to the private sector in order to empower individuals to take on these roles.

“The moment you treat this as a technology problem, the issue begins and continues. Management, senior leadership, and policymakers do not take it seriously enough. We have spent enough money learning that lesson. It is time they started realising the actual problem,” he said.