Cybercrime in a rebuilding nation with digital dreams

By R.P. Pabasara

Marking one of the largest cyber security-related incidents targeting a state institution in recent history, it was reported that 2.5 million USD of Sri Lankan treasury funds were fraudulently diverted. The funds have been part of a bilateral debt payment to Australia with settlement due in September 2025. Even the officials from the Ministry of Finance have acknowledged that such an incident has occurred through a cyber-attack compromising the system. Investigations are underway to bring those responsible to justice and recover the stolen.

Despite various claims made by multiple parties, this illustrates a serious breakdown in digital infrastructure, institutional safeguards, and a lack of oversight. As a nation struggling with serious socio-economic concerns, the prevalence of opportunity for such crime to take place undermines the trust in governance, and most importantly, the contemporary agenda for a digital economy.

Amidst ongoing geopolitical concerns in the Middle East, the aftermath of Cyclone Ditwah, and upcoming debt repayments, the island nation has achieved notable economic progress in the past few months. According to the Annual Economic Review 2025, the GDP per capita has surpassed 5,000 USD, with a real GDP growth estimated at 5%. The review elaborates how the labour market conditions are gradually improving, low interest rates leading to a notable expansion in credit to the private sector, high levels of remittances being sent by foreign employees, and the primary balance recording a surplus for the third consecutive year. Even the transformation into a digital economy can make a positive difference. As outlined in Sri Lanka’s Digital Economy Blueprint (Figure 1), the following milestones are expected to be achieved.

• Growth of the digital economy from 3-4% to 12% of the total economy
• Increased digital exports to USD 5 billion
• Expanding digital workforce to 200,000
• Lowering transaction costs to below 1%
• Leapfrogging from 3^rd and 4^th quartile pf global digital economic indices to 2^nd and 3^rd by 2030.

Figure 1: Sri Lanka's Digital Economy Blueprint

Even though this blueprint is based on key architectural values on inclusion, policy, legislation, and institutions, trust and governance, and capacity building and sustainability, cybercrime challenges the entire framework through hindrance to many Digital Public Infrastructure (DPI). As portrayed in recent incidents, the threat can make every DPI, including national data exchange, digital payments, and authentication mechanisms, vulnerable. True that GovPay and publicly available 5G services are redefining everyday digital usage; one single macro-level incident erodes the trust placed on digital transformation and sustainable governance. With the digital literacy rate expected to increase to 65% by 2024, and the World Bank indicating that 82% of adults have accounts for digital financial services, with 31% making digital payments, a robust strategy to tackle cybercrime no longer remains optional.

This urgency is underscored by the rising number of cybercrime incidents reported daily. From malware to phishing, the rising numbers portray how imminent and strong the response should be. As illustrated in Table 1, incidents have gradually increased from 2,580 to 20,628 within a period of six years. Most notably, statistics for 2024 aggravate the situation with 4,327 cybersecurity incidents and 17,396 social media incidents, accounting for a total of 21,743 (Table 2).

Table 2: Cyber security incidents reported to SLCERT in 2024,
National Cyber Security Strategy of Sri Lanka (2025-2029), pg. 8

Several government institutions have identified and warned about a noticeable increase in financial crimes through popular social media platforms such as Facebook, WhatsApp, and Telegram. Especially the recent incidents involve fraudulent connections with impersonated accounts, online loan and job scams, sharing of phishing links, crypto and forex-related fraudulent investment schemes, and scams claiming lottery or prize winnings. Exploiting the public trust in digital services and government identities, these scams have become more advanced, technology-backed, and hard to trace.

Figure 2: Socio-economic impact of cybercrime, Wright and Kumar (2023).

The impact this creates on society is vast. Even though the visible loss in the most recent incident might be 2.5 million USD, the macro-level socio-economic impact cannot be measured by figures. As demonstrated in scientific literature, the socio-economic impact of cybercrime spans over four different dimensions: costs in anticipation, costs as a consequence, costs in response, and cost-influencing factors (Figure 2). From a criminological standpoint, the first category represents preventive costs associated with implementing defensive measures, precautionary practices, and behaviors to reduce the risk of cybercrime victimization. While the rest of the three categories represent a crime control perspective, the costs as a consequence are the most direct and first-order costs that everyone talks about. Certain rigorous systematic reviews published recently have underscored both the direct and indirect economic costs of cybercrime. It has been indicated how the aggregated global annual cost of cybercrime has steadily increased, with projections made that it will be 265 billion USD per year by 2031. Simultaneously, the costs in response include the indirect costs for investigation, remediation, system upgrading, as well as stock market damages, reputational damages, production chain disruptions, spillover effects, and recovery costs. Ultimately, the costs can be aggravated by the influence of cost-influencing factors associated with each institution, group, or individual.

On the other hand, the social impact is larger than that of the economy. In an atmosphere where the government is making structural efforts to implement a digital economic transformation, citizens place a huge trust in systems and infrastructure. However, the recent incident had the state itself as the victim. When the ultimate guardian of the citizen is getting victimized, the average citizen will feel that their own banking app, or payment gateways they interact with, are insecure.  Drawing insights from the popular Edelman Trust Barometer, it can be argued that such cybersecurity failures cannot be taken for granted, as they correlate with a sharp decline in public trust in government institutions. Moreover, this can cause long-term erosion of trust in digital workflows, making future borrowing efforts more costly than ever. As discussed in the IMF’s Global Financial Stability Reports, such cyber insecurities in emerging markets can trigger capital flight and financial instability. As creditors expect stronger financial processes, this can negatively affect debt restructuring efforts, as well as the island’s reputation with the IMF and bilateral creditors.

Then, is it the deficiency of laws or institutions to tackle the emerging trends in cybercrime? Notably, many international conventions are in place, and Sri Lanka is also a party. Even the local legal landscape consists of multiple provisions to handle the issue. The Budapest Convention, adopted in 2001, requires participants to integrate cyber offences into their national criminal laws, assist law enforcement procedures, and facilitate cross-border collaboration to tackle this transnational issue. As a state party to this convention, Sri Lanka has also made significant progress in developing national laws to tackle cybercrime. Prevention of Money Laundering Act, No. 5 of 2006, Electronic Transactions Act, No. 19 of 2006, Computer Crimes Act, No. 24 of 2007, Personal Data Protection Act, No. 9 of 2022, Online Safety Act, No. 9 of 2024. Moreover, the recently passed Anti-Corruption Act No. 9 of 2023 and Proceeds of Crime Act, No. 5 of 2025, provide legal provisions to investigate, arrest, prosecute, convict, and sentence those responsible for respective offenses within digital spaces. To enact those laws, Sri Lanka has a network of institutions, including the Ministry of Justice, the Ministry of Foreign Affairs, the Attorney General’s Department, the Computer Crime Investigation Division (CCID), the Sri Lanka Computer Emergency Readiness Team (SLCERT), the Financial Intelligence Unit (FIU), and most importantly, the country’s independent judicial system.

Hence, the issue is not the inadequacy of laws or institutions, but the practices within digital spaces. State or private, citizens give their personal and sensitive data to an institution just because they trust in systems that handle that data. Unless confidentiality and security are maintained up to the anticipated level, the outcome can be critical for a larger community. Hence, the best digital practices should be adopted at an institutional level. Starting from being vigilant on fraudulent email, to regular scanning of systems, the best practices include, but are not limited to, mandating Multi Factor Authentication (MFA), regular sessions to help employees identify possible cyber threats, keeping all applications updated, backing up critical data, practicing Role Based Access Control, and having an incident response plan. Especially in governmental settings, it is advocated to maintain a Zero Trust Architecture on the assumption that no user or device is inherently trustworthy. Simultaneously, the individuals should stay vigilant and must refrain from sharing account-related information, OTPs, and PINs with unknown parties, visiting extensions (links and QR codes) sent by unknown parties, and disclosing personal information over digital spaces. These recommendations look simple yet can become decisive in reducing the likelihood of cybercrime victimization.

Since cybercrime never remains uniform but continuously evolves with the advancements of technology itself, solutions should evolve at a pace faster than that of cybercrime. Especially the latest versions of Artificial Intelligence (AI), including Agentic AI and Generative AI, should be a part of modern-day responses to cybercrime. Though resource constraints may hinder any such attempt, the application of good management practices can overcome the issue with desired benefits. Such structured responses supported by the latest technologies can make Sri Lanka’s journey towards digital transformation more inclusive, resilient, and sustainable.

(The writer is a final year undergraduate in the Department of Criminology and Criminal Justice, University of Sri Jayewardenepura, and a Conveyancing Clerk in Victoria, Australia.)