• Over 600 foreign nationals arrested in islandwide cybercrime raids in 2026 alone
• Luxury apartments, tourist visas, crypto networks fuel expanding scam operations
• Police warns landlords to report tenants amid fears of organised criminal safe havens
• Authorities say SL becoming a new base for transnational digital fraud networks
• Weak oversight, easy infrastructure access aiding sophisticated fraud operations

In what has become a recurring theme in Sri Lankan law enforcement, authorities have once again disrupted major illicit operations run by foreign nationals.

According to reports from early May, the Police carried out separate raids in the commercial capital of Colombo and the southern coastal district of Matara, leading to the arrest of individuals suspected of engaging in financial scams and violating visa conditions.

During the first incident on Wednesday (6) evening, a team of officers attached to the Kollupitiya Police Station executed a raid at a housing complex located in the Sri Uttarananda Mawatha area.

The operation successfully apprehended 74 foreign nationals. The Police confirmed that the individuals were Vietnamese nationals aged between 19 and 39. The Kollupitiya Police is conducting further investigations into their specific involvement in digital fraud.

Concurrently, a separate operation unfolded in the south. The Divisional Crime Detective Bureau of Matara raided a hotel in Talalla, Gandara, arresting six more foreign suspects including a female. Law enforcement officials stated that these individuals had been conducting unauthorised businesses while staying in the country on tourist visas and that they had also been found in possession of foreign cigarettes. 

The suspects, identified as Taiwanese and Chinese nationals aged between 25 and 40, are currently under investigation by the Gandara Police. These simultaneous arrests underscore a rapidly growing trend of transnational criminal networks attempting to establish operational bases within the island nation.

The escalation in 2026

The arrests in Kollupitiya and Matara represent merely the latest fraction of a much larger and highly coordinated crackdown. Sri Lanka has experienced an unprecedented surge in the infiltration of transnational cybercrime syndicates during the first half of 2026. 

Data released by the Police Media Division paints a comprehensive picture of the scale and geographic spread of these operations. The statistics reveal a concentrated effort by law enforcement to dismantle large networks of foreign nationals utilising the island as a base for digital fraud and extortion.

The initial major operation of the year took place on 23 February in Cinnamon Gardens, resulting in two separate raids that netted a total of 21 Chinese nationals. The sheer volume of these illegal enterprises became distinctly apparent weeks later. 

On 16 March, authorities executed coordinated raids across three hotels in Mihintale and Anuradhapura, leading to the apprehension of 133 Chinese nationals. The geographic distribution of these scam centres continued to expand rapidly. On 20 March, a raid in Kochchikade resulted in the arrest of 77 Indonesian citizens.

Law enforcement agencies maintained their momentum throughout late March. A subsequent operation on 24 March in Poddala, Kurunegala, saw the detention of 12 Vietnamese and five Chinese nationals. This was closely followed by dual raids in Negombo on 27 March, which resulted in the capture of 43 Chinese nationals, alongside several Malaysian and Cambodian individuals. 

As the crackdown intensified in April, the numbers swelled further. A massive sweep on 2 April in Chilaw dismantled a hub containing 133 Chinese, 13 Vietnamese, and one Malaysian national. Later that month, on 22 April, an operation in Dungalpitiya concluded with the arrest of 30 suspects hailing from China, Malaysia, and India.

May demonstrated the sophisticated and multi-national nature of these syndicates. On 2 May, Police conducted a raid in Koswatta, apprehending 37 Chinese nationals. On the very same day, a landmark operation at a residential complex along Meda Welikada Road in Rajagiriya resulted in the arrest of 121 individuals representing a diverse array of nationalities, including citizens from China, Myanmar, Malaysia, Vietnam, and the Philippines. 

This continuous string of high-profile operations has brought the total number of foreign nationals arrested for cybercrime in 2026 to well over 600, highlighting a significant shift in regional criminal activity.

Mechanics of infiltration

To understand the sudden influx of these syndicates, it is necessary to examine the broader geopolitical and law enforcement landscape of the Asia-Pacific region. 

Historically, massive cyber fraud operations, often referred to as telecom fraud centres, were concentrated in specific regions of Southeast Asia. However, recent aggressive crackdowns by international coalitions and regional governments in those traditional strongholds have forced criminal organisations to seek out alternative jurisdictions.

Sri Lanka presents a unique set of vulnerabilities and advantages for such syndicates. The country offers widespread high-speed internet connectivity, an adaptable technological infrastructure, and relatively straightforward tourist visa entry procedures. These factors, combined with a post-crisis economic environment where high-paying rental agreements are readily accepted, have inadvertently created an attractive operational base for international fraudsters.

The individuals brought into the country to staff these operations are often lured by false promises of legitimate employment in data entry or customer service. Once isolated in these facilities, they are coerced into executing cryptocurrency scams, romance frauds, and digital extortion schemes. 

A prominent tactic is the highly sophisticated psychological manipulation strategy where fraudsters spend months building trust and romantic rapport with victims online before convincing them to invest in fraudulent cryptocurrency platforms, which eventually vanish along with the victim’s funds.

The mechanics of how these individuals enter and operate within the country rely heavily on exploiting standard immigration pathways. Police Spokesperson ASP F.U. Wootler clarified the legal thresholds crossed by these suspects. 

“Any foreigner who visits the country will have a valid visa and passport. These particulars are incorporated into the Department and Immigration and Emigration. Any foreigner who overstays after their valid dates commits an offence under the Immigrants and Emigrants Act, and authorities will take action against them.” 

Beyond simple visa violations, the core activities of these groups trigger much heavier statutory consequences. Law enforcement agencies rely on a combination of the Computer Crime Act, the Penal Code, and financial regulations to build cases against the operators.

“Foreigners involved in criminal activities, such as cybercrimes and illegal money laundering, are to be prosecuted within the existing laws. In 2026, from 1 January to date, there were approximately 700 foreign nationals arrested,” he said.  

Recognising the technical sophistication and rapid expansion of these networks, the national Police apparatus has undergone structural adjustments to better confront the threat. The traditional policing framework has required modernisation to handle the sheer volume of digital evidence and the complexities of transnational online fraud.

“Cybercrimes are on the rise. A special Cyber Crime Division has been established under the guidance of the Inspector General of Police to investigate all cyber matters, and stern, swift action will be taken against such perpetrators,” Wootler said.  

When questioned regarding reports of a suspect going missing from remand following the recent arrests of 120 individuals, he indicated that official channels had not yet been briefed on such an anomaly.

“I have not been briefed on that matter, so I cannot confirm this at this time,” he said.

He further noted that the public must remain vigilant, adding that despite numerous arrests and ongoing prosecutions, citizens continued to fall prey to digital deception.

Digital forensics

While the Police executes physical raids and handles the custodial aspects of the crackdown, the digital battlefield requires a completely different set of expertise. The Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT) operates as the apex national agency for cybersecurity. Its mandate involves securing digital infrastructure, analysing malicious software, and advising Government entities.

Sri Lanka CERT Lead Information Security Engineer Charuka Damunupola outlined the operational boundaries of the agency regarding the recent syndicates.

“Our role is mainly providing technical assistance to individuals who are victims of cyber scams. We provide technical support to recover their accounts and conduct public awareness campaigns,” he noted.  

The agency has recently bolstered its technical capabilities to counter sophisticated digital threats, particularly those aimed at State apparatuses and vital digital ecosystems. This includes a newly established technical facility designed to identify security breaches.

“The Malware Analysis and Threat Hunting (MATH) lab is primarily used for Government organisations to identify personal data breaches and credential leaks. The unit operates mainly for attack surface monitoring, including phishing domain takedowns and handling brand or domain name abuse,” he added.  

These capabilities have proven necessary as the nation grapples with severe cyber incidents. Notably, the agency is currently providing technical support for investigations into a massive $ 2.5 million loss from the Treasury.  

Navigating infrastructure and cryptocurrency hurdles

A defining characteristic of the recent raids in areas like Rajagiriya and Negombo is the discovery of massive hardware stockpiles. Syndicates utilise hundreds of mobile phones, tablet computers, laptops, and thousands of SIM cards to create a dense, untraceable web of digital communication.

The sheer scale of the hardware procurement was further highlighted on 16 April, when authorities intercepted nine Chinese nationals at the Bandaranaike International Airport (BIA) in Katunayake. These individuals were caught attempting to smuggle a massive consignment of electronic communication equipment by taping the devices directly to their bodies. 

The seized contraband included 383 used mobile phones, 101 tablet computers, and six WiFi routers. This level of coordinated smuggling demonstrates the massive infrastructural demands of these illicit networks. To accommodate this hardware, syndicates routinely rent out entire floors of luxury apartment complexes or take over boutique hotels to house both their operators and their specialised equipment.

A logical countermeasure might involve utilising Internet Service Providers (ISPs) to identify unusual data consumption patterns or suspicious concentrations of IP addresses. However, Damunupola explained the legal and procedural hurdles that prevent arbitrary network monitoring.

“There is no way to flag ISPs because perpetrators use standard procedures, such as providing a passport, to obtain internet connections. Unless an investigation discloses a specific IP address and a court order is obtained, we cannot flag traffic through ISPs,” he explained.  

The financial architecture of these scams poses an equally formidable challenge. Traditional bank transfers are rarely utilised by modern syndicates. Instead, they rely on decentralised cryptocurrency exchanges and encrypted messaging applications to move stolen funds instantly across borders, severely complicating asset recovery efforts.

“Investigations involving cryptocurrency accounts and financial transactions are handled by the Police and the Financial Intelligence Unit, as they are the primary monitoring and investigating bodies for such cases,” Damunupola said. 

Regional intelligence and future cybersecurity strategies

The transnational nature of the syndicates necessitates a coordinated cross-border response. Evidence gathered from seized devices in Sri Lanka often contains critical intelligence regarding server locations, malicious software signatures, and financial routing protocols that could assist law enforcement in other jurisdictions.

“Through the Asia Pacific Computer Emergency Response Team (APCERT), we share threat reports and indicators of compromise with our regional networks. We also continuously issue public alerts on our social media platforms regarding the rise of WhatsApp scams and the necessary preventive steps,” Damunupola said. 

As the digital economy grows, the legislative framework must evolve in tandem. The Government introduced the National Cyber Security Strategy 2025–2029 in September 2025 to fortify the digital landscape. However, a common misconception exists regarding the need for entirely new legislation to prosecute digital scammers.

“The National Cyber Security Strategy focuses on the national landscape and pure cybercrimes, but most of these operations fall under general scams. Many people believe separate laws are needed, but frauds, cheating, and impersonation are already covered in our Penal Code. The technical challenges in investigations are what need to be addressed in the near future,” Damunupola said. 

Public accountability and rental regulations

The logistics of housing hundreds of operators require the unwitting or sometimes complicit cooperation of local property owners. The rapid establishment of these scam farms relies heavily on landlords who are willing to overlook suspicious activities in exchange for lucrative rental yields. The authorities are now pivoting to address this crucial vulnerability in the supply chain of organised crime.

Property owners hold a legal obligation to verify the identities of their tenants and report to the local authorities. Ignoring these statutory requirements not only facilitates international crime but also places the property owner in direct legal jeopardy. 

ASP Wootler delivered a stern warning regarding the responsibilities of landlords and property managers across the island.

“In consideration of the security arrangements taking place in the country, we strongly direct the public to keep the nearest Police station informed when renting out a residence, apartment, or commercial building temporarily or permanently,” he said.  

He noted the specific legal mechanisms that empowered law enforcement to monitor the transient populations within their jurisdictions. The legislation mandates proactive communication from citizens to prevent neighbourhoods from transforming into criminal safe havens.