Sri Lanka Loses $625K in Second Hack as BEC Attacks Expand

Key Takeaways

• Sri Lanka lost $625,000 in a payment to the U.S. Postal Service that went missing weeks ago
• This follows a $2.5 million theft from the finance ministry disclosed last week
• Australia has flagged irregularities in Sri Lankan payments, suggesting the breach may be broader

A Second Payment Goes Missing

Sri Lanka disclosed on Tuesday that a payment of approximately $625,000 (about 199.7 million Sri Lankan rupees) to the U.S. Postal Service has been missing for several weeks. U.S. officials alerted Sri Lankan authorities after the payment failed to arrive, according to local media reports.

Authorities discovered this incident while investigating hackers who allegedly attempted to divert another payment intended for India. The disclosure comes just days after Sri Lankan officials announced they were probing a separate $2.5 million theft targeting the country's finance ministry.

The situation may extend beyond these two incidents. Australian officials have reportedly identified irregularities in payments owed to their country, suggesting the Sri Lankan breaches could be broader than initially thought.

Business Email Compromise: A Billion-Dollar Problem

Both incidents appear to be business email compromise attacks. In BEC attacks, hackers break into email inboxes or accounting systems to manipulate bank accounts and routing numbers during invoice payments. The attackers redirect funds to accounts they control instead of the intended recipients.

“to other bank accounts, instead of the intended recipient.”

— Treasury Secretary Harshana Suriyapperuma, describing how hackers diverted the $2.5 million payment

BEC scams remain among the most profitable cybercriminal operations. FBI data shows these attacks resulted in billions of dollars in losses last year alone. The appeal is simple: hackers can steal large sums through a single successful breach, often without deploying malware or complex technical exploits.

Political Pressure on a Recovering Economy

The successive security failures have added pressure on the Sri Lankan government during an already difficult period. The country is still recovering from an economic crisis that led to a debt default in 2022. That crisis triggered months of protests and the ouster of then-president Gotabaya Rajapaksa.

It remains unclear whether the two confirmed thefts are linked. Member of Parliament Nalinda Jayatissa said the government is investigating whether the incidents are connected.

What Makes BEC Attacks So Effective

BEC attacks succeed because they exploit trust and process rather than technical vulnerabilities. Attackers typically gain access to email accounts through phishing, then monitor communications to understand payment workflows. When they spot a pending large transaction, they insert themselves into the conversation, often impersonating a trusted party and requesting a change to payment details.

Government agencies face particular risks. They handle large, regular payments to foreign entities. Payment processes often involve multiple departments with limited cross-verification. And international wire transfers are difficult to reverse once completed.

• Attackers monitor email to learn payment schedules and vendor relationships
• They impersonate trusted parties to request account number changes
• Wire transfers, especially international ones, are hard to recover
• Multiple departments handling payments create verification gaps

Implications for Government Cybersecurity

The Sri Lankan incidents highlight a persistent blind spot in government cybersecurity. Agencies often focus on protecting classified information and critical infrastructure while treating financial processes as routine administrative functions. But payment systems handle real money in real time, making them attractive targets.

Standard defenses include multi-factor authentication on email accounts, out-of-band verification for payment changes (calling a known number rather than one provided in an email), and real-time monitoring of payment anomalies. The challenge is implementing these controls consistently across large bureaucracies.

Frequently Asked Questions

What is a business email compromise attack?

A BEC attack occurs when hackers gain access to email accounts or accounting systems to intercept and redirect legitimate payments. They typically monitor communications to understand payment workflows, then impersonate trusted parties to request changes to bank account details.

How much money has Sri Lanka lost in these attacks?

Sri Lanka has disclosed two incidents totaling $3.125 million: a $2.5 million theft from the finance ministry and a $625,000 missing payment to the U.S. Postal Service. Additional irregularities flagged by Australia suggest the total could be higher.

How can organizations prevent BEC attacks?

Key defenses include multi-factor authentication on email, out-of-band verification for payment changes (calling a known number to confirm requests), real-time monitoring for payment anomalies, and treating any request to change payment details as a potential red flag requiring verification.

Are the Sri Lanka hacks connected?

Authorities are still investigating whether the incidents are linked. Member of Parliament Nalinda Jayatissa confirmed the government is examining potential connections between the thefts.

Source: TechCrunch / Zack Whittaker