An investigative report on the rise of telecom fraud in Sri Lanka – March 2026 - 精品栏目位

An investigative report on the rise of telecom fraud in Sri Lanka – March 2026
By Kushan Liyana Arachchige
PhD (CS), LLM (IT/IP law), MSc (IT), MBA International Business, EMSc (Strategic Management) & Chief AI Officer – Times Media Service LLC.

Sri Lanka is in the middle of its worst telecom fraud crisis. In just two years, the small island nation became both a victim and a base for international cybercrime. Over 1,000 foreign scam operators were arrested between 2024 and 2026. Cybercrime complaints jumped from about 7,210 in nine months of 2024 to more than 12,650 in all of 2025. By early 2026, the Minister of Public Security revealed that 23 to 25 cybercrimes are being reported every single day, a rate that could push the annual total past 9,000 if it continues. A single phishing attack stole more than Rs. 6 billion from Commercial Bank customers. And in the largest data breach in Sri Lankan history, hackers took 1.9 terabytes of private data from Cargills Bank.

But the numbers we know are likely only a small part of the truth. Sri Lanka has no central system to track total losses from telecom fraud. Authorities believe only about 39 per cent of victims ever report the crime. This means the real damage could be two or three times bigger than what the records show. This investigation looks at how the crisis grew so fast, who is being hurt, what the government and its international partners are doing about it, and whether any of it is working.

Sri Lankan police officers in Colombo Photo/Bank Info Security

The scam factories on Sri Lankan soil

The most shocking part of this story is not about Sri Lankans being cheated. It is about Sri Lanka being used as a base for global fraud.

Starting in mid-2024, the Criminal Investigation Department (CID) uncovered large criminal operations run by foreign nationals inside rented hotels and villas. These were not small groups. They were organised fraud factories, sometimes taking over entire hotels.

On June 27 and 28, 2024, officers arrested 137 Indian nationals in raids across Negombo, Madiwela, and Battaramulla. Police took 158 mobile phones, 16 laptops, and 60 computers. Days later, 30 Chinese nationals were caught at a Negombo hotel.

The October 2024 raids were even bigger. In Gampaha and Hanwella, 40 foreign nationals were arrested with 499 mobile phones and 25 laptops. In Kundasale, Kandy, police found 130 Chinese nationals who had rented 47 rooms at a luxury hotel. In Kalpitiya, 54 Chinese nationals and one Japanese woman were taken, along with Rs. 10 million in cash and 98 phones.

The Chinese Embassy in Colombo said these gangs had moved to Sri Lanka from Southeast Asia. They chose Sri Lanka because of its telecom infrastructure, location, and low public awareness of digital crime.

“Scammers tend to look for smaller hotels, rent the entire place for an extended period, and are willing to pay more than the asking price.” - DIG Nihal Thalduwa, Police Spokesman

These groups ran what experts call ‘pig-butchering’ scams. They tricked middle-aged and elderly victims in China, Indonesia, and Thailand into fake investment platforms. They entered Sri Lanka on tourist visas, overstayed, and set up call centres in rented properties.

China took the matter seriously. Its Ministry of Public Security sent a special team to work with Sri Lankan police. By June 2025, 85 convicted Chinese nationals were deported on a chartered SriLankan Airlines flight to Guangzhou.

The operations also showed something worrying. Some Sri Lankans helped the fraud without realising it. They opened bank accounts for the scammers. They sold old SIM cards without proper checks. They provided personal details that were used to build fake identities.

Three types of fraud, one vulnerable population

SIM box fraud: the hidden drain on telecom revenue

SIM box fraud is a scheme where international calls are routed through local SIM cards. This bypasses official phone switches and avoids paying proper charges. The Telecommunications Regulatory Commission of Sri Lanka (TRCSL) has banned this practice under the Telecommunications Act.

No large SIM box devices were publicly reported as seized in the 2024 - 2026 raids. But the huge numbers of SIM cards found at every scam compound suggest the infrastructure is there. In one Kalpitiya raid alone, police found 98 phones and many SIM cards. Globally, this type of fraud costs telecom operators about US$5.06 billion each year. Sri Lanka’s high international call rates make it a natural target.

Phishing: the fastest-growing threat

The biggest single fraud in recent memory was the Commercial Bank phishing attack of August 2025. Criminals bought Google Ads for search words like ‘Commercial Bank Sri Lanka.’ When customers searched online, the first result led them to a fake bank website.

The fake site looked almost the same as the real one. When customers typed their username, password, and OTP code, the criminals captured everything in real time. They used the stolen details to log into the real bank and move money out. Individual victims lost as much as Rs. 1.9 million in a single transaction.

A doctor named Rishad Tahir had warned about the fake website on Facebook two days before some of the frauds happened. His warning was not enough.

Phishing goes beyond banks. In March 2024, the Sri Lanka Postal Department warned about fake SMS messages using domains like slpostgovlk.top. Scammers also pretended to be DHL, demanding customs fees. Dialog Axiata published a list of known phone and text scams. By December 2025, police warned about groups pretending to be CID and FCID officers. They used video calls with fake offices and uniforms to frighten people into sending money.

Kaspersky’s 2024 data puts numbers on the problem: 9,218 financial phishing incidents were detected targeting Sri Lanka, along with 8.6 million web threats and 12.5 million local malware incidents.

OTP and banking fraud: stealing while you sleep

The third type of fraud targets mobile banking directly. The Central Bank of Sri Lanka (CBSL) confirmed that SIM swap fraud happens in the country. In this scheme, criminals convince mobile agents to reissue a SIM card without proper identification. Sometimes, the agents and criminals work together.

The fraud usually happens late at night. The victim’s phone loses signal because the SIM has been switched. By morning, the bank account is empty. CBSL Director K. V. K. Alwis described cases where mobile operators failed to follow identity checks.

WhatsApp hijacking also became common in late 2024. Sri Lanka CERT received 74 complaints in just three months, and 64 more in the first half of 2025. Engineer Charuka Damunupola of SLCERT said something important: most bank accounts used by scammers were linked to deceased people. This points to a well-organised identity theft network.

Rs. 6 billion and 1.9 terabytes - the cases that shook a nation

Two incidents in 2025 showed how deep the problem goes.

The Commercial Bank attack was not a simple scam. The criminals used advanced techniques. If someone visited the fake website directly, they saw a restaurant page or an error message. The phishing page only appeared when someone clicked through the Google Ad. This trick made the scam invisible to security experts checking the URL. The CID told court that over Rs. 6 billion was taken. Stolen money was spread across accounts at Seylan, Sampath, Nations Trust, Pan Asia, and People’s Bank.

“Today, it was Commercial Bank. Tomorrow, it could be Sampath, HNB, People’s Bank, or BOC.” - HackAware cybersecurity platform

The Cargills Bank breach on March 20, 2025, was different but equally damaging. A ransomware group called Hunters International stole 1.9 terabytes of data - over 1.1 million files. The stolen data included NIC scans of at least 4,200 customers, passport details, staff signatures, and board member information. Most disturbingly, the hackers got 1,423 video recordings of customers opening accounts while reading out personal information.

A 2024 audit had already flagged problems with Cargills Bank’s IT systems. The warnings were not acted on. The bank first told the Colombo Stock Exchange that it was just ‘unauthorised access to a peripheral system.’ Independent checks showed 6 out of 8 contacted customers did not know their data had been stolen.

In March 2025, a new threat appeared. The Central Bank warned about AI-generated deepfake videos. Fake videos showed Governor Nandalal Weerasinghe endorsing investment schemes. Similar deepfakes targeted businessman Dhammika Perera and Kapruka founder Dulith Herath.

The people who pay the price

The damage from telecom fraud is not just about money. It is about trust, dignity, and the daily lives of ordinary Sri Lankans. The crisis hits hardest the people who can least afford it - in a country still recovering from the 2022 economic collapse.

Surini Merian is 24 years old. She works at the Katunayake Free Trade Zone. Her WhatsApp account was hijacked after she downloaded a loan application. At least 15 of her friends and colleagues received fake emergency messages from her account. They transferred money to scammer accounts. By the time anyone realised, the money was gone.

Veteran journalist N. M. Ameen lost his WhatsApp after sharing an OTP during a distracted moment. A friend transferred Rs. 100,000 to the scammer, believing it was a real request. SJB Member of Parliament Mujibur Rahuman’s hacked account was used to ask political contacts for money.

Research shows that the northern and eastern provinces are most affected. These areas have lower IT literacy. Nationally, digital literacy stands at only 63.5 per cent. Sri Lanka is still mainly a cash economy. Only 38 per cent of people are comfortable using debit cards. The COVID-19 pandemic pushed a 600 per cent increase in internet banking. But security awareness did not grow at the same speed.

Women are more vulnerable too. Only 35 per cent of women use digital financial services, compared to 41 per cent of men. Over 300,000 Sri Lankans went abroad for work in 2024. Many fell for fake migration agencies. Some were even trafficked into cyber scam operations in Myanmar.

“Banks in Sri Lanka have no mechanism to protect their customers and when fraudulent transactions happen they conveniently shift the blame on to customers.” - A banking customer

The GSMA’s February 2025 safety report noted that fraud victims often lose large sums and spend much time and effort trying to recover. This leads to long-term distrust in digital services. For a country trying to build a digital economy, this is a serious problem.

The regulators race to catch up

The government has taken several steps. But questions remain about whether they came fast enough. The latest move came on February 7, 2026, when Minister of Public Security Ananda Wijepala announced that the government will create a new police division dedicated entirely to cybercrime. He said between 23 and 25 cyber-related incidents are reported every day - a number he called significantly high for a country like Sri Lanka. Just weeks earlier, in January 2026, Sri Lanka Police issued a public warning listing nine common types of online fraud, from fake loan schemes and WhatsApp job scams to impersonation of well-known people and gaming tricks targeting children. The police said they are taking steps in 2026 to enforce the law against these crimes in a more systematic and planned way.

The Telecommunications Amendment Act No. 39 of 2024 was passed on July 9, 2024. It was the first change to the Telecommunications Act in 28 years. It gives TRCSL stronger powers over licensing and enforcement. New penalties were added for giving false user information.

Mandatory IMEI registration started on January 29, 2025. All SIM-enabled devices must now be registered on the network. Unregistered devices are blocked. This targets smuggled phones and potential SIM box hardware.

The Central Bank issued new circulars. From April 2024, all JustPay transactions over Rs. 10,000 need an OTP. Mobile payment apps must verify user identity. Banks must report cyber incidents within two hours.

The National Cyber Security Operations Center (NCSOC) was launched on September 19, 2025, under President Anura Kumara Dissanayake. It provides 24-hour threat monitoring with support from the World Bank.

The Online Safety Act No. 9 of 2024 makes online fraud and impersonation a crime.

Sri Lanka also became the first South Asian country to join the Budapest Convention on Cybercrime. This helps with sharing evidence across borders. But language problems still make it hard to prosecute foreign suspects.

China and Sri Lanka have increased their cooperation. Beijing sent investigators and accepted deported suspects.

China’s regional crackdown: Sri Lanka as one front in a wider war

Sri Lanka’s fraud problem does not exist in isolation. It is one front in a much larger battle that China is fighting across Southeast Asia and beyond. The Chinese Embassy in Colombo warned that fraud gangs moved to Sri Lanka after crackdowns in Myanmar and Cambodia. It described these crimes as a threat to both Chinese and Sri Lankan people and a danger to the friendship between the two countries.

China’s response has been massive in scale. In September 2024, the Ministry of Public Security sent a special working group to Sri Lanka to run joint operations with local police. This led directly to the large-scale arrests and the deportation of 85 convicted Chinese nationals on a chartered flight in June 2025.

But Sri Lanka is a small part of a much bigger picture. In February 2025, China, Myanmar, and Thailand set up a three-country coordination system to target scam compounds in Myanmar’s Myawaddy region. By December 2025, more than 6,600 Chinese fraud suspects had been sent back to China from Myawaddy alone. Chinese and Cambodian police arrested 2,141 suspects in places like Mondulkiri, Phnom Penh, and Svay Rieng. A joint operation with Laos captured over 600 suspects from the Golden Triangle Special Economic Zone in a single sweep. Chinese and Vietnamese police caught 149 suspects together.

In November 2025, a six-nation ministerial meeting in Kunming brought together officials from China, Cambodia, Laos, Myanmar, Thailand, and Vietnam. They signed agreements to launch joint operations, build permanent coordination systems, and share intelligence in real time. China also pushed to create a global anti-fraud alliance at the 2025 Global Public Security Cooperation Forum in Lianyungang, bringing 28 countries from Asia, Europe, and Africa on board. In total, Chinese authorities cracked 258,000 telecom fraud cases in 2025, repatriated 57,000 suspects, blocked 3.6 billion fraudulent calls, and froze about 217 billion yuan (roughly US$31.3 billion) in emergency funds.

However, experts warn that these crackdowns have limits. A July 2025 report by the U.S.-China Economic and Security Review Commission found that China’s focus on protecting Chinese victims has pushed scam groups to shift their targets towards English-speaking victims in the West. The UN Office on Drugs and Crime reported in April 2025 that scam centres in Southeast Asia were still expanding at an unprecedented scale despite the raids. In Cambodia, observers described some operations as ‘show crackdowns’ that reduced pressure without truly stopping the industry. When compounds along the Chinese border with Myanmar were shut down, many simply moved to the Thai-Myanmar border. When Thailand tried to cut internet access to known scam sites, the operators installed satellite internet.

For Sri Lanka, this means the threat is not going away. Even as China and Sri Lanka cooperate to arrest and deport suspects, the global fraud industry keeps adapting. The criminal networks are flexible, well-funded, and able to move operations from country to country as pressure shifts. Sri Lanka’s attractiveness as a base, its telecom infrastructure, its visa accessibility, its relatively low cost of operations will remain unless systemic changes are made.

The biggest problem - what we do not know

Perhaps the most important finding of this investigation is about what does not exist.

TRCSL has not published any data on the scale of scams and fraud in Sri Lanka. There is no consolidated count of financial losses. TRCSL tracks phone traffic volumes, not fraud. The police do not publish overall cybercrime prosecution results.

This matters for a simple reason. Without data, regulators cannot know if their actions are working. The 2024 Budget set aside LKR 1.5 billion for AI innovations including fraud detection in banking. But without loss figures, no one can calculate the return on that investment.

Sri Lanka’s e-commerce sector is valued at Rs. 735.2 billion - about 2.47 per cent of GDP. It is projected to grow 10.8 per cent each year. That growth depends on public trust. Trust is being destroyed by fraud that the government cannot even measure.

Globally, telecom fraud cost the industry US$38.95 billion in 2023 - up 12 per cent from 2021. India’s cyber fraud losses rose 206 per cent to about US$2.7 billion in 2024. Pakistan’s estimated losses reach US$9.3 billion a year. Sri Lanka’s losses remain unknown. But the trajectory is clear: from 7,210 complaints in nine months of 2024, to 12,650 in all of 2025, to a daily rate of 23 to 25 cases in early 2026. The problem is growing faster than the institutions built to handle it.

And on February 24, 2026, yet another raid - this time 16 Chinese nationals caught running a pyramid scam from two rented houses in central Colombo - showed that Sri Lanka’s attractiveness as a base for foreign fraud operations has not faded.

The local response - vigilance, not panic

On February 24, 2026, Cinnamon Gardens Police raided two rented houses on Jawatta Road and Don Carolis Road in Colombo. They arrested 16 Chinese nationals for running an online pyramid scam. Officers seized 23 laptops, 11 phones, 7 routers, 9 voice-translation devices, and thousands of foreign cigarettes. The story barely made national headlines. But on social media, it set off a quiet storm.

The mood among ordinary Sri Lankans is not mass outrage. There are no street protests. Conversations on Facebook, Instagram, local news comment sections, and Reddit’s r/srilanka show something different: a practical, watchful anxiety. The question people keep asking is simple. We caught these 16. But how many more are already here?

The first reaction to the arrests was praise. Under posts by Newswire and Sri Lanka Mirror, users wrote short messages of support for the police. Many tagged friends and family, treating the raid as proof that law enforcement is finally paying attention. But the praise quickly turned into pointed questions. How were these people staying on tourist visas while running an international scam ring? Why are visa overstays and suspicious group rentals not flagged faster?

The strongest emotional response came from landlords and property owners. On Instagram and Facebook real-estate groups, posts with red warning signs went viral. The message was blunt: do not rent your house or apartment to large groups of foreigners without proper screening. They are using properties for online fraud. Landlords who depend on rental income to survive the economic recovery are afraid of unknowingly becoming hosts to criminal operations. The tone is protective, not hateful. As one widely shared post put it: this is exactly what happened with the 16 arrested. Our own people are paying the price.

A deeper fear runs beneath the surface. Sri Lanka is still recovering from the 2022 economic collapse. It cannot afford another blow to its image. Some residents worry that news of foreign scam compounds will scare away tourists. Others draw direct comparisons to Cambodia and Myanmar, where similar operations have already damaged regional reputations. The concern is clear: now that Cambodia is chasing scammers out, they are trying Sri Lanka because of its internet, its geography, and its relaxed rules.

A small minority of voices in Sinhala-language groups cross into suspicion of all foreign tenants. But this is not the dominant mood. Most Sri Lankans are careful to separate honest visitors from criminals exploiting visa loopholes. The common demand is simple: screen everyone properly. That is all we are asking.

What is striking is that many people are more angry about the daily scams hitting their own families than about the foreign operators. AI voice-clone calls, OTP fraud, and fake job offers from local numbers are part of everyday life now. As one social media user wrote: forget the Chinese in Colombo. My family keeps getting these calls. The foreigners are small compared to the scams hitting us every day.

The government’s announcement of a new dedicated cybercrime police division in February 2026 was welcomed. But the public mood is clear. Arrests alone are not enough. Landlords want better screening tools. Immigration authorities face pressure for stricter visa enforcement. Ordinary citizens are quietly changing their behaviour - double-checking tenant references, warning relatives about suspicious ads, and sharing scam alerts with more urgency.

The feeling across Sri Lanka is not panic. It is heightened vigilance. As one widely liked comment captured the national mood: welcome genuine visitors with open arms. But if you come to scam us or our guests, the door will close - and the police will be waiting.