• Police traces links between global fraud rings, local facilitators 
• Surge in complaints signals expanding threat landscape
• Seasonal scams, impersonation tactics target vulnerable users
• Enforcement agencies strengthen tracing tools amid crypto challenges

Investigations into a recent surge of sophisticated cybercrime operations in Sri Lanka have exposed a deeply concerning operational model underpinning these illicit activities. 

Authorities told The Sunday Morning that foreign digital fraud syndicates were not operating in complete isolation but were increasingly leveraging local criminal networks to execute and sustain their schemes.

Police Media Spokesperson ASP F.U. Wootler revealed that ongoing investigations had already identified direct linkages between transnational actors and domestic facilitators. 

Addressing the involvement of local elements, Wootler said: “We have established certain local connections. The Computer Crime Investigation Division is conducting thorough inquiries and the courts will ultimately determine the full extent of these linkages based on the evidence.” 

This acknowledgement highlights a critical evolution in the country’s cybercrime dynamics. While foreign nationals may orchestrate the overarching architecture of these scams, their daily success often depends heavily on local logistical support, access to domestic internet infrastructure, and integration into existing organised criminal ecosystems. 

This hybrid operational structure significantly enhances their ability to evade immediate detection while operating within Sri Lankan territory, as local facilitators can secure housing, transportation, and communication tools on behalf of the foreign operators.

Growing public concerns

The scale of this threat has expanded rapidly in the early months of 2026. Both the Sri Lanka Police and the Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT) have reported a steady and alarming increase in complaints related to online financial fraud. 

Coupled with high-profile Police raids resulting in the arrests of large groups of foreign nationals, this statistical trend has fuelled intense public concern that Sri Lanka could be rapidly emerging as a regional base or centralised hub for transnational cybercrime. 

Minister of Public Security Ananda Wijepala addressed these growing public concerns directly, offering a more measured and data-driven interpretation of the recent developments. While openly acknowledging the involvement of foreign nationals from countries such as China, Taiwan, and Vietnam, he firmly rejected the characterisation of Sri Lanka as a systemic cybercrime hub. 

“Labelling Sri Lanka a cybercrime hub based on isolated incidents is inaccurate. Although a significant number of individuals have been apprehended in recent operations, this reflects our enhanced intelligence gathering and heightened enforcement capabilities, rather than a structural shift in global criminal operations,” Wijepala explained.  

“We are taking decisive action to bring all offenders to justice based on credible intelligence, regardless of their nationality. Consequently, the frequency of our targeted raids has increased significantly,” Wijepala added. 

The Minister also highlighted the unique jurisdictional complexity of these specific cases. Many of the apprehended suspects use Sri Lankan digital infrastructure exclusively to target victims located overseas, placing the island nation at the complex intersection of global cybercrime financial flows. 

“Our primary concern is that these transnational actors are utilising Sri Lankan territory to defraud victims internationally. Our immediate response is to arrest and deport them, facilitating requests from affected countries to have these individuals handed over for prosecution,” he noted. 

Regarding the immediate status of those detained, the Minister said: “The recently apprehended suspects remain under active investigation. We will ensure they are produced before the court in accordance with all necessary legal procedures before taking further action.”

Legal and immigration hurdles

Managing and prosecuting foreign suspects involved in cybercrime presents significant legal and administrative challenges, requiring close and constant coordination between law enforcement and immigration authorities. 

ASP Wootler explained the standard operational procedures regarding these foreign actors, noting that many initially entered Sri Lanka on legitimate tourist visas before choosing to overstay and engage in illicit activities.

“Foreign nationals occasionally engage in financial and cyber fraud within Sri Lanka. Typically, these individuals enter the country legally but subsequently overstay, violating the Immigrants and Emigrants Act. Such violators are apprehended by the Immigration and Emigration Department and subjected to deportation or removal procedures,” Wootler said. 

He further contextualised the motivations of some smaller-scale operators, noting that they often turned to crime out of desperation. “In many instances, these individuals arrive in Sri Lanka as tourists. Once their funds are depleted, they collaborate with local contacts to initiate small-scale scams to sustain themselves financially.” 

However, the legal process becomes far more complex when active criminal fraud is established by investigators. Individuals found to be directly involved in financial cybercrimes must first face prosecution within Sri Lanka’s domestic judicial system before any administrative deportation proceedings can be initiated by the State. 

“During routine interrogations, the Police sometimes discovers a suspect is involved in cybercrime. In such cases, the Computer Crime Investigation Division takes over the inquiry and the individuals are prosecuted under Sri Lankan law,” Wootler clarified. “Any foreign national who violates the laws of Sri Lanka will be prosecuted to the fullest extent of our existing legal framework.”

The Department of Immigration and Emigration is concurrently tasked with the massive administrative burden of verifying the legal entry status of those arrested in large-scale sweeps. Controller General of Immigration and Emigration Chaminda Pathiraja acknowledged the severe procedural challenges involved in handling these sudden influxes of foreign detainees. 

“We must meticulously verify each case. Specific details are not immediately available, particularly when suspects are actively being produced in court. We are required to examine each passport and entry record individually,” Pathiraja stated. 

He stressed that the accurate classification of visa categories was absolutely essential for determining the appropriate administrative action and uncovering the full scope of the syndicate’s operational methods. 

Tactics and exploitation

Cybercriminal networks operating within Sri Lanka have increasingly shifted away from complex software hacking and towards highly sophisticated social engineering tactics that exploit human vulnerabilities, it is learnt. The Police Media Division has identified a highly prevalent and devastating scam model involving the direct impersonation of trusted national institutions.

In these targeted schemes, fraudsters confidently pose as official representatives of commercial banks, telecommunications providers, or State agencies. They meticulously persuade vulnerable victims to install specific mobile applications on their personal devices under the guise of providing urgent technical assistance or resolving fabricated account issues. During this deceptive installation process, victims are often manipulated into granting comprehensive screen-sharing access to the caller. 

“This method grants fraudsters remote visibility and control over the victim’s device, allowing them to execute unauthorised financial transactions directly through the victim’s online banking platforms,” Sri Lanka CERT Lead Information Security Engineer Charuka Damunupola warned. 

This specific method is particularly effective and dangerous because it completely circumvents traditional cybersecurity safeguards. By visually observing one-time passwords and secure two-factor authentication codes in real time, criminals can easily bypass even the most robust banking security systems deployed in the country.

Damunupola noted that these massive operations were supported by increasingly sophisticated technical infrastructure that required a unified national response. 

He emphasised the critical importance of strengthening regulatory frameworks alongside technological defences and highlighted the vital role of specialised units within the Criminal Investigation Department, which were specifically equipped to conduct advanced digital forensics and trace complex, layered financial transactions across borders. 

Damunupola asserted that strengthening Know Your Customer (KYC) protocols across both the banking and telecommunications sectors was absolutely critical to improving traceability and permanently disrupting these criminal networks. 

When service providers stringently verify the identities of their clients, it creates massive logistical hurdles for syndicates attempting to acquire the local SIM cards and domestic bank accounts necessary to facilitate their scams.

Tracking funds and cryptocurrency challenges

The growing global use of decentralised cryptocurrencies presents a massive and evolving challenge for domestic investigators. Digital assets enable rapid, cross-border fund transfers that intentionally bypass traditional banking systems and regulatory oversight, making them highly attractive tools for syndicates laundering their illicit proceeds. 

Despite these inherent technical challenges, Damunupola confirmed that Sri Lankan law enforcement agencies were increasingly equipped and trained to monitor such complex transactions. “Specialised tools are now available to trace blockchain transactions. Law enforcement agencies currently possess the necessary visibility to effectively monitor and investigate blockchain-related financial incidents,” he explained. 

Sri Lankan authorities have also actively established collaborative working relationships with major international cryptocurrency exchanges and the Financial Intelligence Unit. These corporate and inter-agency partnerships are deeply instrumental in tracking illicit financial flows on the public blockchain, freezing suspicious digital accounts before funds can be withdrawn and ultimately identifying the hidden beneficiaries of these sprawling cyber fraud operations.

Seasonal vulnerabilities and public awareness

Cybercriminals have repeatedly demonstrated a high degree of adaptability, specifically tailoring their deceptive strategies to exploit cultural and seasonal trends within the country. During the recent Sinhala and Tamil New Year period, Sri Lanka CERT observed a marked and deliberate increase in targeted social media scams. 

“Cybercriminals strategically exploit periods of high online engagement, such as the festive season, to manipulate public trust and target vulnerable individuals,” the agency noted. These seasonal scams most often involve the promotion of fake cultural competitions, deceptive promotional offers, and non-existent prize giveaways. 

Fraudsters frequently and convincingly impersonate well-known retail brands, popular supermarkets, or respected community organisations. Their primary objective during these campaigns is to harvest valuable personal data, including sensitive images, national identity details, and direct financial information.

In far more aggressive operational variants, fraudsters directly impersonate senior bank officials or high-ranking law enforcement officers. Using severe intimidation tactics, they coerce panicked victims into transferring funds to secure accounts. Victims are frequently threatened with fabricated legal consequences, such as false claims of money laundering, or are intentionally misled into believing their personal accounts have already been compromised by hackers.

As Sri Lanka confronts this evolving digital threat, the Government is pursuing a dual strategy of aggressive law enforcement and widespread public awareness. Intelligence-led operations will systematically target foreign syndicates and their local collaborators, while ongoing education campaigns aim to reduce citizen vulnerability.