Sri Lanka is grappling with a significant and escalating wave of cybercrime, posing increasing threats to individuals, businesses, and even government institutions. Data from the Sri Lanka Computer Emergency Readiness Team (SLCERT) reveals a sharp rise in reported incidents, with over 5,400 cybercrime cases recorded so far in 2025 alone.
The surge is largely attributed to the nation’s rapidly expanding digital footprint and a concurrent lack of widespread cybersecurity awareness. With over seven million internet users, a vast majority of whom are active on social media, the attack surface for malicious actors has grown considerably.
Social media platforms, particularly Facebook, WhatsApp, Instagram, Snapchat, and TikTok, are proving to be fertile ground for cybercriminals, accounting for nearly 90% of reported cases. Common offenses include the proliferation of fake profiles, account hacking, and WhatsApp hijackings. The increasing misuse of Artificial Intelligence (AI) tools to generate sophisticated malware, phishing emails, and deepfake videos is introducing new, insidious risks, often employed for harassment, extortion, or to manipulate public opinion.
Beyond individual exploitation, the impact on public and private sectors is becoming a serious concern. This year alone, several government entities have faced disruption, including the Department of Government Printing and the Sri Lanka Police, whose websites were compromised. In a particularly alarming incident in June, the SMS gateway of the National Water Supply and Drainage Board (NWSDB) was breached, leading to customers receiving ransom demands for Bitcoin payments via the board’s official shortcode. March saw multiple banks hit by ransomware attacks, resulting in the leak of a staggering 1.9 terabytes of sensitive data, including national identity card images and transaction histories.
Online financial fraud remains a prevalent threat. The Criminal Investigation Department (CID) has highlighted two primary methods: elaborate fake investment and work-from-home schemes that lure victims with fabricated profits before demanding further payments, and bogus remote job offers used to illicitly collect bank account details for money laundering.
The Sri Lankan government is attempting to address the escalating crisis. The Cabinet of Ministers recently approved a new five-year National Cyber Protection Strategy for 2025-2029. Developed by SLCERT with World Bank support, this strategy aims to strengthen legal and regulatory frameworks, enhance preparedness, and improve incident response capabilities. Key areas of focus include legal modernization to address evolving threats like data theft and ransomware, fostering public-private partnerships, and developing a skilled cybersecurity workforce.
However, the fight against cybercrime requires a collective effort. Authorities continue to urge the public to exercise extreme caution online. Essential advice includes avoiding suspicious links, refraining from sharing sensitive banking information with strangers, never transferring funds from unknown sources, enabling two-factor authentication, and maintaining strict privacy settings on social media accounts. As Sri Lanka navigates its digital transformation, robust cybersecurity measures and heightened public awareness are paramount to safeguarding its digital future.
