The Committee found that the fraud was not a one-off lapse, but the product of governance, procedural and operational failures across several institutions.
Over a period of roughly four months, from November of last year, a criminal group compromised the email system of the External Resources Department, impersonated Australia's export credit agency using a lookalike internet domain, and collected two and a half million United States dollars in Sri Lankan sovereign debt repayments. The money went to shell companies at a bank in Abu Dhabi.
In its own words, the Committee described the fraud as "not an isolated lapse, but a consequence of governance, procedural, and operational failures across multiple institutions."
Some of the details set out in the report are extraordinary. On the 26th of November, the Central Bank's Finance Department flagged that a payment was going to a beneficiary in the United Arab Emirates whose address did not match Export Finance Australia's, warned of anti-money-laundering concerns, and instructed the Ministry to reconfirm the account details with the lender.
The Ministry then emailed the fraudulent domain and asked the fraudster to confirm the fraudster's own bank details.
Speaking to Gold FM about the Ministry's response to that warning, Dr de Silva said the fraud worked by inserting fake actors on both sides of the exchange. "The real guy from the Ministry spoke to the fake guy, and the fake guy spoke to the real Finance Ministry guy," he said, adding that the Criminal Investigation Department would need to look further into it, as the Committee did not have the authority to obtain phone and message records.
"When they told them to go check on it, they checked on it and said, 'That's fine,'" Dr de Silva said, referring to the response given after the Central Bank's warning. "So if the government says 'That's fine,' what more can the Central Bank do?"
The correct bank details were already sitting in Ministry inboxes at the time. On the same day, the real Export Finance Australia had sent revised invoices with the correct account. An officer had confirmed receipt. The payments still went out to the fraudster.
Nobody, the Committee found, appeared to have read the beneficiary names. Sri Lanka wired sovereign debt payments to "Mish Global LLC," "LMH Global LLC," and "Sifra Watan Project Management Services" at an Abu Dhabi bank, each styled as being "in care of" Australia's export credit agency. No one, the report notes, thought to ask why Australia's export credit agency was being paid through a Delaware limited liability company.
Officials also went on paying after they knew they were being defrauded. On the 6th of January, JPMorgan's fraud team blocked a Sri Lankan payment to the Export-Import Bank of India. Three days later, the External Resources Department reported the compromise to the CID and to the Sri Lanka Computer Emergency Readiness Team, explicitly naming a spoofed domain. Eleven days after that, Sri Lanka wired a further USD 997,799 to "Mish Global LLC" at TD Bank.
Dr de Silva said the Ministry had been under the impression that the payments had gone through correctly.
"They were paid, but not appropriately," he said. "It was paid to various unbelievable accounts in Dubai. One was supposed to be paid to an account in Vietnam, or some place crazy."
The fraud, he said, was only discovered when the Australian entity itself reached out to Sri Lanka to ask where its money was. "They only found out about this in March, when the Australian entity told them: what the hell is happening, where is our money?"
Along the way, officials negotiated an arrears schedule with the real lender for money that had already been lost, blaming the delay on Cyclone Ditwah and on what the Committee describes as "an alleged Cabinet-approved timeline."
The fraud was ultimately spotted on the 23rd of March this year, when an officer noticed that emails from what was supposed to be one lender were arriving from three different email addresses. Three foreign banks, the Committee noted, caught what Colombo did not. The Federal Reserve Bank returned funds. Citibank blocked the leg through the UAE. JPMorgan blocked the India payment.
The Committee made no finding that anyone inside the Ministry was complicit in the fraud, but asked law enforcement to determine whether there was any internal collusion.
Asked whether the malicious actors were on the Sri Lankan or the Australian side, Dr de Silva told Gold FM: "There were two sets of people, real and fake, on both sides." Pressed on whether there were malicious actors within the Ministry itself, he said, "No, we don't know that. What we know is domain names. So from one domain name to another domain name, from one email address to another email address, a message goes: 'Oh my God, disaster has happened. We don't have money. Can you please give us some additional time to pay.' Now who is that?"
The Committee also found that the External Resources Department was running its email on a Microsoft Exchange server released in 2016, for which the manufacturer's security updates had stopped on the 14th of October last year. The fraud began in the middle of November.
Prior warnings, the report found, had already been given. A joint audit by KPMG and the Sri Lanka Computer Emergency Readiness Team, conducted in December 2024, found no multifactor authentication, weak passwords, and undefined roles. The Cabinet had ordered the Ministry of Finance to connect to the National Cyber Security Operations Centre. Four reminder letters went out. As of last month, the Ministry was still, in its own words, "in the process of establishing connectivity."
Dr de Silva called the state of the Ministry's IT systems appalling. "It is appalling that the email exchange server was old, that it had reached its end of life, and there was absolutely no support for the emails," he said. "So as far as we are concerned, it was like, naked. Anybody could have interfered with that. Anybody could have got into that system."
He added that a system handling billions of dollars in debt payments should never have been left in that state. "It is almost inviting, saying: look, this is unchecked, do whatever you can."
The Committee further found that a single Director of the Debt Servicing Unit was authorising the release of every foreign debt payment out of the Consolidated Fund, without sign-off from any senior official or from any other department.
Only four mid-level officers were suspended over the fraud. The Committee noted, without elaboration, that "the sudden death of one of these four employees is indeed most unfortunate." No official at the level of Director-General or above faced action.
The Ministry of Finance's own report to the Committee had blamed the Central Bank of Sri Lanka heavily for the fraud, claiming among other things that it had occurred as a result of overwriting of existing records "under the supervision of officials of the CBSL." The Central Bank rejected that account in unusually forceful terms, calling it "factually incorrect," "legally untenable," and, of one Ministry claim, an "attempt of misrepresentation of events."
The system logs and two opinions from the Attorney General went in the Central Bank's favour. The logs showed that officers of the new Public Debt Management Office held their own login credentials from mid-October and had created and completed transactions of their own before the Australian payments went out. No existing settlement instruction was ever overwritten. The Attorney General ruled that external debt servicing had moved to the new office three weeks before the first fraudulent payment.
The Central Bank, however, was not entirely cleared. The Committee names, at the top of the accountability chain, the Governor of the Central Bank and the Secretary to the Treasury as bearing responsibility for governance lapses.
The Committee recommended, among other steps, that the Financial Transactions Reporting Act be amended to bring the Central Bank's role as banker to the government within its reach, and that a public sector whistleblower policy be put in place.







