The Scammers Have Found Our Address.

By: Damintha Gunasekera
Earlier this year, police raided a seaside hotel in Chilaw and found more than 150 foreign nationals running an online scam operation from inside the building. Read that sentence again. Not a drug bust. Not a smuggling ring. A hotel on our western coast, converted into a fraud factory.
That raid was not an isolated catch. It was confirmation of something Sri Lanka has been slow to say out loud: the criminal syndicates being squeezed out of Southeast Asia are relocating, and they have chosen us. And the reason they have chosen us is the same reason a spoofed email cost the Treasury 2.5 million dollars, and the same reason the international assessors now examining our financial system make officials nervous. The thread running through all three stories is state capacity. We do not currently have enough of it, and everyone has noticed.
The migration
For years, the global capital of online fraud was mainland Southeast Asia. Sprawling compounds in Myanmar and Cambodia, trafficking workers from dozens of countries and defrauding victims worldwide of an estimated 40 billion dollars a year. Then the crackdowns came. In just two weeks this February, Cambodian authorities raided over 2,700 locations and identified more than 21,000 foreign nationals as potential suspects.
But these networks do not die. They move. Police here have arrested more than 1,000 foreigners since the start of this year for alleged involvement in cybercrime, up from 430 in all of 2024. In a single night in May, five raids in Galle and Matara netted more than 220 suspects.
Why us? Because from a criminal's perspective, we are an excellent product. Tourist visas available to nationals of more than forty countries. Reliable, high-speed internet. Hotels, guesthouses, apartments and office floors available to rent quickly and quietly; police have begun warning property owners that renting to these operations could make them liable. The openness we built to bring back tourists is being exploited by a very different kind of visitor. Even Beijing's embassy in Colombo has acknowledged that illicit activity here rose after enforcement tightened in Cambodia, Myanmar and the UAE, and has pledged closer cooperation with our law enforcement.
For now, these networks mostly target victims across Asia. But dozens of Sri Lankans have been rescued from scam compounds abroad over the past year, and the Central Bank's latest risk assessment flags these frauds as a developing threat at home. This is not someone else's crime wave parked on our soil. It is ours now.

The soft target
If the first warning is who is arriving, the second is what they found when they got here: a state whose own defences are thin.
This month, Parliament received the Committee on Public Finance's report on the theft of 2.5 million US dollars during foreign debt repayments to Export Finance Australia. The published findings read like a case study in institutional decay. Attackers used fraudulent email domains closely resembling the Australian lender's to slip false invoices into genuine correspondence. Ten payments were diverted across four dates between November and January. The Treasury's email server had been procured in 2016, was obsolete by 2019, and was still in use in 2026; the fraud began about a month after its security support lapsed, timing the Committee called far more than a coincidence.
The scale of the near-misses is what elevates this from one theft to a systemic warning. After an earlier fraudulent attempt involving the EXIM Bank of India was escalated, officials began scrutinising past payment instructions and found the fraud was not confined to Australia. Instructions received by email for repayments to the United Kingdom of about 1.3 million dollars, to Germany of about 4 million euros, and to Belgium had also been identified as fraudulent. The UK payment was suspended just in time. The Belgian payment, by fortune or vigilance, had gone to the correct account. Add it up: the attackers were inside the correspondence of our sovereign debt repayment process across at least four creditor relationships, and the sums at risk ran to several times what was actually lost.
And the theft itself was not caught in real time. Ten payments left the system over four months without detection. The review that eventually surfaced them began only because of the attempted fraud on another creditor, and it was during that verification, on 23 March, that Export Finance Australia's notices of non-receipt reached the Ministry. The one attempted diversion stopped mid-flight was caught the old-fashioned way, by Central Bank officials who noticed a beneficiary account that did not match and demanded reconfirmation. The system can work when a person is paying attention. It cannot yet work on its own.
This was not a sophisticated state-sponsored intrusion. It was the same trick used on pensioners everywhere: a convincing email and an unverified instruction. If the Treasury's debt repayment process can be breached by a lookalike email address, ask what that says about the hundreds of other state institutions holding public money and public data.

The clock
What turns these two stories into an emergency is the third. Sri Lanka is undergoing its third international evaluation on anti-money laundering and terrorism financing, conducted with the Financial Action Task Force and its regional affiliate. For the first time, the methodology measures effectiveness: not whether we have laws, but whether they work. The assessors will count convictions and confiscated assets, not gazettes.
We know what failure costs because we have paid it before. Past evaluations found strategic deficiencies that put Sri Lanka on the FATF grey list in 2017 and contributed to blacklisting by the European Union, escaped only after years of remedial work. The Director of the Financial Intelligence Unit has been blunt: we cannot afford to be grey listed again. Grey-listing raises transaction costs, endangers correspondent banking and pushes up borrowing costs. For an economy still climbing out of default, that is not a compliance problem. It is a second crisis, self-inflicted.
The government is moving on paper. Amendments to the money laundering, financial reporting and terrorist financing laws have been gazetted and sent to Parliament, and a framework for virtual assets is due by the end of 2026. Necessary, but not sufficient, for two reasons. The first is that the evaluators are explicitly not grading paper. The second is that speed has already shown its costs: civil society groups publicly warned that some provisions go beyond FATF requirements and touch fundamental rights, and the bills were challenged before the Supreme Court. The Court has cleared them, subject to its determinations. But constitutional clearance is a floor, not a fitness certificate. The Court's pre-enactment review asks only whether a bill violates the Constitution, not whether it is well designed, proportionate to risk, or aligned with the FATF standards it claims to serve. Those questions belong to Parliament, and groups that raised the original concerns are still pressing them. Getting this right matters for the evaluation itself: a law that overreaches invites uneven enforcement and endless litigation, which is exactly what assessors mark down. Effective and fair are not competing goals here. They are the same goal.

What capacity actually looks like
The task before Sri Lanka is narrower and harder than passing bills. Investigators who can trace a crypto wallet as comfortably as a bank account. Immigration, police, customs and financial regulators sharing information in days, not months. Verification protocols in every institution that moves public money, so a spoofed email dies at the first checkpoint. The Committee's own report points the way, recommending urgent implementation of long-outstanding SL-CERT cybersecurity recommendations across the public sector. We already know what to do. We have known for years. Knowing is not the gap. Capacity is.
None of this is beyond us. The raids this year prove enforcement can act when directed. The question is whether we treat Chilaw and the Treasury theft as embarrassing episodes to be managed, or as the early warnings they are. Cambodia ignored its warnings and became shorthand for a captured state. We are being tested right now, by criminals probing our systems and by assessors grading our answers, and for once the two tests have the same answer sheet. Pass the second, and we make ourselves too expensive for the first.