Did the Finance Ministry fall prey to North Korean hackers?

FBI Wanted poster for a North Korean hacker. Were they responsible? 

The recent exploit of US$ 2.5 million from Sri Lanka’s external resources department, tricked into funding a US$ 2.5 million sovereign debt payment to a malicious third-party account, is embarrassing enough. However, as the government has opted for a vague and self- contradictory narrative,  and the opposition going for cheap political mileage, there is an immediate life-and-death concern.  

Who was the actual threat vector? Was it a business email compromise, no more sophisticated than from a usual Nigerian prince, as many, including the Ministry of Finance, had admitted? Which would be humiliating enough, but less worry. Or was the External Resources Department targeted by a sophisticated threat actor such as North Korea’s Lazarus group? If the latter is the case, that should be cause for grave concern. There is most likely an ongoing threat, which could potentially lead to cascading exploits.

It is difficult to make an educated judgment owing to sparse and vague details. Even with adequate information, it is unlikely that the matter is within the capacity of Sri Lankan authorities or the CID to investigate alone. Groups like Lazarus, a North Korean state-linked hacker collective,  are far too sophisticated and beyond the imagination of local authorities. Some details, even though how patchy they are, suggest a far more sophisticated ‘break in’ than the average Nigerian prince, Indian fake Microsoft Office help operatives, or pig butchering scam centres operating from Myanmar and Cambodia are capable of. 

That should be a case for immediate action. Instead of resorting to internal measures, the Finance Ministry should conduct a forensic audit by a reputed international cybersecurity firm. The cybersecurity firms that could match the sophistication of groups like Lazarus are few and far between. Local remedies would not stand a chance.  And Sri Lanka should seek assistance from the FBI, which has a long track record of investigating cyber theft, including the Lazarus group.

The countdown to the External Resources Department exploit, based on limited details, is as follows:

Late 2025 – Early 2026: a third party gained unauthorised access to the External Resources Department’s computer systems through email manipulation. Information varies. According to some sources, the finance ministry funded the third-party account based on a phishing email, posing as the legitimate Australian lender. It is alleged that no verification of account details with those in the original loan document had been conducted before the transaction was authorised. Nor had there been  phone verification or verification with a whitelisted email address. Instead, the authorities called up the phone number in the email and verified the account number with the attacker.

January 2026: Criminals successfully redirected a $2.5 million payment.  i.e., the external resources department funded the malicious third-party account on their own, duped by the attackers. This sounds like your average Nigerian prince scam.

The sum was part of a larger $22.9 million bilateral debt repayment intended for Australia.

Early April 2026 (Discovery): The theft came to light only after Australian officials flagged that they had not received the scheduled payment.

April 23, 2026:  A lawyers’ group,  Free Lawyers, revealed the incident. After that, Treasury Secretary Harshana Suriyapperuma officially confirmed the breach and the resulting loss during a press conference in Colombo.

April 24, 2026: A high-powered internal committee was formed to investigate procedural lapses, leading to the suspension of four senior officers at the Public Debt Management Office.

However, this account itself leaves more questions than answers.

Separate debt payment

Harshana Suriyapperuma claims the exploit was flagged when the officials discovered changes to the account details in a separate bilateral debt payment to India in January.  However, the exploit in the Australian debt repayment came to light only in April when the Australian government notified it had not received the payment. That suggests the initial exploit of US$ 2.5 million had gone undetected even after the authorities flagged the malicious changes in the Indian loan payment, and rectified them forthwith. 

It may also suggest that business email compromise was not confined to one transaction – or that the department had funded a third-party account, simply duped by an email. It appears that the attackers had obtained access to the internal system of the external resources department and changed data.

In some ways, this has hallmarks of the Bangladesh Central Bank heist of 2016, one of the most audacious cyber thefts, which attempted to steal nearly US$ 1 billion from a Bangladesh Central Bank account held in the Federal Reserve Bank of New York. The FBI later linked the Lazarus group to the bank heist.

The operation began with the group sending a spear-phishing email - an innocuous job application- containing a malicious resume, to bank employees. Once the malware was downloaded, Lazarus spent roughly a year “casing” the bank’s internal systems. They moved laterally between computers to map the network and eventually reached the systems controlling the SWIFT terminal, which handled international wire transfers.

Fraudulent SWIFT transfers

In 2016, on a Friday, timing with the Lunar New Year, the group issued 35 fraudulent SWIFT transfers, using credentials it had already obtained through the hack. However, the operation failed, by and large, due to a simple error of spelling ( writing “fandation” instead of “foundation”) and a coincidental flag on a Philippine bank branch located on Jupiter Street, which shared the name with a sanctioned Iranian vessel. The group netted  US$ 87 million, which was routed to casinos; the rest of the transactions were reversed.

Twenty million dollars in exploit was funded to a Sri Lankan account belonging to a small NGO called Shakila Foundation (misspelt in the SWIFT transaction as fandation). The transaction was flagged by the intermediary bank and simultaneously by Sri Lanka’s Pan Asia Bank, due to the unusually large amount. The transaction was blocked and eventually returned to the Bangladesh Central Bank. The Sri Lankan recipient, Hagoda Gamage Shalika Perera, claimed she was set up by an acquaintance and was unaware of the exploit.

Traditional finances, such as banks, are considered safer than cryptocurrency networks, for they have multi-layered safety nets. Unlike blockchain, where transactions are irreversible, banks can freeze and reverse transactions and conduct extensive verification and due diligence through multilayered gatekeepers.

 Interestingly enough, the ill-fated US$ 2.5 million transaction had reportedly passed through 13 officers at the Finance Ministry, each serving as a gatekeeper. None detected the error.

The disclosure by the finance ministry that it flagged the malicious changes by a third party to account details of an Indian loan raises concerns about whether the attackers had broken into the internal computer system of the finance ministry. If such a break-in has occurred, that might have compromised the system beyond the surface, leading to future exploits. That also suggests a sophisticated attack, a multilayered attack, which might still be in progress. The attackers, like Lazarus, invest time and money and wait for months before they strike. (In Kelp Dao, a third-party fronted by Lazarus, deposited $ 1 million before draining the entire platform six months later). 

Political dogfights between the government and opposition aside, the finance ministry should invite an experienced cybersecurity firm for a forensic audit of its system.  The gravity of the current exploit is beyond the political fallout. The government should be certain of the extent of the compromised data and take remedial measures. It should be certain that there is no ongoing threat. This is not a matter of party politics; this is a matter of our national survival. 

Follow @RangaJayasuriya on X