Sri Lanka reports second missing overseas payment after $2.5 million finance ministry theft

Sri Lanka has disclosed a second missing international payment days after revealing that hackers stole $2.5 million by targeting the country’s finance ministry, according to TechCrunch. Authorities said a payment of about $625,000 to the US Postal Service has been missing for weeks, after US officials reported it never arrived. The disclosure follows an earlier incident in which hackers allegedly diverted a payment from Sri Lanka’s postal authority to other bank accounts.

The pattern described by Sri Lankan officials matches a familiar and low-tech failure mode: business email compromise. Rather than breaking encryption or deploying exotic malware, attackers get into an inbox or accounting workflow and then change bank details on invoices or payment instructions at the moment money is about to move. TechCrunch notes that the FBI has repeatedly described such scams as one of the biggest sources of cybercriminal profits, with losses in the billions. For a government, the vulnerability is less the payment rail than the administrative reality that large organisations route payments through long chains of approvals, shared mailboxes, and vendor communications that were never designed as secure systems.

Sri Lanka’s latest admission suggests the problem may not be limited to a single successful theft. Officials detected the missing payment after hackers allegedly tried to divert another payment intended for India, and Australian officials are reportedly aware of irregularities in payments owed to Australia, TechCrunch reports. It remains unclear whether the incidents are linked, and a member of parliament said the government is investigating connections.

The timing matters because Sri Lanka is still climbing out of its 2022 debt default and the political turmoil that followed. In that environment, a few million dollars is not just a line item: it is a signal to lenders, counterparties and suppliers about whether invoices will be paid and whether payment instructions can be trusted. If foreign agencies and vendors start treating Sri Lankan payment emails as unverified, the country pays in friction — more manual checks, more intermediaries, more delays — long before any court case identifies the attacker.

Sri Lanka’s treasury secretary described the earlier theft publicly at a press conference, but the mechanism of the fraud points to an unglamorous fix: tighter controls on who can change beneficiary details, out-of-band verification for new routing numbers, and audit trails that are actually reviewed. The missing $625,000 was detected only after the recipient said it had not been paid.

The government says the payment has been missing for several weeks. The first external confirmation came from the US Postal Service side: the money did not arrive.