By: Ovindi Vishmika
May 01, Colombo (LNW): Sri Lanka’s alleged diversion of USD 2.5 million from a Treasury-linked foreign debt repayment has moved beyond political debate into the realm of criminal law, with authorities now navigating a complex legal framework to investigate what is believed to be a cyber-enabled financial offence.
While initial claims by Opposition Leader Sajith Premadasa triggered public concern, subsequent acknowledgements by officials suggest that unauthorised system access within the Treasury’s External Resources Department may have allowed funds to be redirected to a fraudulent account. The case has since drawn in multiple investigative bodies, raising critical questions about how Sri Lankan law deals with cyber intrusions involving state finances.
Cybercrime at the Core of the Case
Legal experts point to the Computer Crime Act, No. 24 of 2007 as the primary statute governing the incident. The Act criminalises a range of activities that appear directly relevant to the alleged breach, including unauthorised access to computer systems, manipulation of data, and interference with digital financial processes.
If proven, altering payment instructions or redirecting funds through compromised systems could constitute serious offences, particularly where such actions impact the national economy. The law also recognises cyber acts that create risks to economic stability as aggravated offences, potentially elevating the severity of charges.
Multi-Agency Criminal Investigation Underway
Under Sri Lankan law, offences of this nature are classified as cognizable, allowing law enforcement agencies to act swiftly without prior court approval. Investigations are conducted under the Code of Criminal Procedure, enabling authorities to arrest suspects, search premises, and seize digital evidence.
In this case, the involvement of the Criminal Investigation Department (CID), the Police Computer Crime Investigation Division, and financial intelligence authorities reflects the seriousness of the allegations and the technical complexity of tracing digital financial fraud.
The government has also indicated that the matter may be examined at a parliamentary level, following a request submitted to Speaker Jagath Wickramaratne, with Cabinet Spokesman Nalinda Jayatissa stating that a decision on further inquiry rests with Parliament.
Digital Forensics and Expert Involvement
A key feature of cybercrime investigations under Sri Lankan law is the use of technical experts. The Computer Crime Act allows qualified specialists in information technology to assist police in analysing compromised systems, retrieving data, and reconstructing events leading to the breach.
These experts are empowered to access computer systems, examine transaction logs, and identify how unauthorised access occurred,functions that are central to determining whether the Treasury breach resulted from external hacking, internal lapses, or a combination of both.
Powers to Trace and Preserve Evidence
The law grants investigators wide authority to secure digital evidence. Courts may issue warrants to intercept communications and obtain financial data, while urgent situations allow officers to act without warrants if there is a risk of evidence being destroyed.
Authorities can also compel institutions and individuals to preserve relevant data for extended periods, ensuring that critical digital trails such as altered bank details or transaction records are not lost during the investigation.
Failure to cooperate with such directives is itself a punishable offence, underscoring the legal obligation of both public officials and private entities to assist investigators.
Questions of Accountability
Beyond identifying the perpetrators, the case raises complex issues of legal responsibility. The law does not limit liability to external hackers; it extends to individuals who may have facilitated the offence, whether through negligence, unauthorised disclosure of access credentials, or failure to maintain adequate safeguards.
Senior officials could also face scrutiny if it is established that due diligence was not exercised in overseeing financial systems. Provisions relating to abetment, conspiracy, and attempts mean that multiple actors both within and outside government could potentially be implicated.
International Legal Dimensions
Given that the transaction involved a foreign debt repayment reportedly linked to Australia, the investigation may extend beyond Sri Lanka’s borders. The Computer Crime Act allows for extraterritorial jurisdiction, enabling prosecution even where elements of the offence occurred outside the country.
Sri Lanka may also seek international cooperation under mutual legal assistance frameworks, particularly if funds were routed through overseas accounts or foreign actors were involved.
Trial and Recovery of Public Funds
Any prosecution arising from the case would fall under the jurisdiction of the High Court. Courts are empowered to admit digital and expert evidence, which often forms the backbone of cybercrime cases.
In addition to criminal penalties such as imprisonment and fines, the law provides for financial recovery. Courts can order offenders to compensate the State for losses or repay any unlawful gains, offering a legal pathway to reclaim misappropriated public funds.
Broader Legal and Institutional Implications
While the criminal investigation focuses on identifying wrongdoing, the incident has also triggered calls for broader legal scrutiny of institutional failures. Critics argue that weaknesses in verification processes, oversight mechanisms, and internal controls may have contributed to the breach.
As public pressure mounts, the case is likely to test not only Sri Lanka’s cybercrime laws but also its systems of financial governance and accountability.
For now, authorities maintain that investigations are ongoing, with further disclosures expected from the Ministry of Finance. The outcome could set a significant precedent for how the country addresses cyber-enabled financial crimes involving state institutions in the future.