Back to list
News

Inside the NDB Rs. 13.2 Billion Fraud: An Insider Scandal, Not a Hack

ducky
2026-05-22
21 views
8 min read

title: "Inside the NDB Rs. 13.2 Billion Fraud: An Insider Scandal, Not a Hack" description: "An explainer on Sri Lanka's National Development Bank (NDB) internal fraud — what happened, how insiders allegedly diverted Rs. 13.2 billion, why customer deposits were unaffected, the CID investigation and arrests, and the Central Bank's regulatory response."

date: 2026-05-22 category: "Cybersecurity & Risk"

Inside the NDB Rs. 13.2 Billion Fraud: An Insider Scandal, Not a Hack

When news broke in April 2026 that Sri Lanka's National Development Bank PLC (NDB) had lost billions of rupees to fraud, many assumed the bank had been "hacked." It hadn't. There was no external breach of customer accounts, no ransomware, no stolen card data. What NDB uncovered was something arguably more troubling for a financial institution: an internal fraud, allegedly carried out by its own employees in collusion with outside parties, that went undetected for the better part of two years.

This is an important distinction. A hack is an outsider breaking in. This was an insider quietly walking funds out the door — a failure of governance and internal controls rather than of firewalls. Here's what happened, how it reportedly worked, and why it matters well beyond NDB.

What Happened

The scandal surfaced through a sequence of disclosures to the Colombo Stock Exchange (CSE).

On 2 April 2026, NDB first informed the market that it had detected an act of fraud committed by certain employees "in connivance with a third party or parties." The initial estimated exposure was around Rs. 380 million — already serious, but contained.

Within days, that picture changed dramatically. On 6 April 2026, after deeper internal investigation, NDB revised the estimated loss to approximately Rs. 13.2 billion (roughly US$42 million) — a more than thirty-fold jump from the first estimate. The bank said the fraud was confined to a specific operational area and that recovery efforts were underway with law-enforcement support.

The CSE had halted trading of NDB shares pending the disclosure. When the halt was lifted, the stock fell sharply — dropping from a previous close of around Rs. 130 to the Rs. 110–115 range, a slide of roughly 15% as investors absorbed the scale of the loss.

According to court filings and investigators, the fraudulent activity is believed to have run from mid-2024 through March 2026 — meaning it persisted across multiple reporting periods before being caught.

How the Fraud Allegedly Worked

The most revealing part of this case is the method, because it shows how a determined insider can defeat automated controls.

Investigators allege the scheme was orchestrated within NDB's Department of Payments and Settlements — the back-office function responsible for moving money between accounts and institutions. Insiders are suspected of:

  • Diverting funds through roughly 64 fraudulent accounts, breaking large sums into a web of transfers rather than one obvious movement.
  • Timing transactions for weekends, when automated monitoring and reconciliation systems were less likely to flag activity in real time.
  • Converting a portion of the proceeds into cryptocurrency through global platforms — reportedly including Binance — and moving funds offshore to frustrate tracing.

Because the money was allegedly drawn from the bank's general ledger / proprietary funds and inter-bank settlements rather than from retail deposit accounts, the theft did not show up as missing money in any customer's balance. That is precisely why it could continue for so long, and why the eventual figure ballooned so far beyond the first estimate.

Authorities have sought Interpol assistance to trace approximately Rs. 380 million allegedly converted into cryptocurrency and routed through offshore channels.

Were Customers Affected?

No — and this has been stated repeatedly and explicitly.

Both NDB and the Central Bank of Sri Lanka (CBSL) have assured the public that ordinary deposit accounts, balances, and day-to-day banking operations remain safe and unaffected. The CBSL conducted a preliminary assessment and confirmed that, despite the loss, NDB's capital adequacy and liquidity ratios remained above the minimum regulatory requirements. The regulator added that NDB could access temporary liquidity support if needed.

In short: the loss hit the bank's own funds, not customers' money. For depositors, the practical impact is reputational and indirect rather than a hit to their balances.

The Investigation and Arrests

The matter is being investigated by Sri Lanka's Criminal Investigation Department (CID), including its Cyber Crimes Investigation Division, with support from the Central Bank.

Several suspects have been arrested and remanded. Court filings have publicly identified an assistant manager attached to the head-office payments division among those detained. (As with any active case, those arrested are suspects facing allegations and are entitled to the presumption of innocence until proven guilty.)

The case has widened beyond the original suspects. The Colombo Chief Magistrate has directed the CID to arrest and produce any senior NDB officials found to have aided or abetted the misappropriation, and to report on whether any executives suppressed earlier control-related recommendations from the regulator. Proposals have reportedly been submitted to impose travel bans and take custody of the passports of board members while the probe continues.

NDB says all implicated employees have been suspended and their system access revoked.

The Regulator's Response

The CBSL has moved on several fronts to contain the fallout and tighten oversight:

  • Suspended NDB's scheduled cash dividend and restricted discretionary spending, including branch expansion (while allowing a scrip dividend to proceed).
  • Heightened day-to-day supervision of the bank.
  • Mandated an independent forensic audit by a leading international firm with overseas experts — reportedly engaging a major global advisory firm — with a scope that extends beyond the fraud itself to examine governance, oversight, and regulatory-compliance failures during the relevant period.
  • Ordered NDB to immediately strengthen internal controls and to commission a separate third-party review of its policies, systems, and controls.

The Governance Question

A recurring criticism has emerged: how could a scheme of this size run for nearly two years inside a regulated commercial bank without detection?

Opposition figures and commentators have questioned why the existing board and senior management — the very people responsible for the bank's internal controls and risk management during the period in question — remained in office while the investigation proceeded. Critics point to the Basel Committee's Corporate Governance Principles for Banks, which hold that individuals responsible for systemic failures should be excluded from the investigative process to avoid conflicts of interest.

This is the heart of the matter. The fraud was not a sophisticated external attack; it was an exploitation of weak segregation of duties, inadequate transaction monitoring, and gaps in oversight.

What It Means: Lessons in Operational Risk

For anyone working in banking, audit, or governance, the NDB case is close to a textbook study in operational and internal-control risk. A few takeaways stand out:

  • Insiders are a primary threat. Most security investment targets external attackers, yet the costliest events often come from trusted staff who already have legitimate access. Privileged roles in payments and settlements deserve the highest scrutiny.
  • Segregation of duties is non-negotiable. When one person or a small colluding group can both initiate and approve fund movements, the control framework has already failed.
  • Monitoring must cover the gaps, not just the business day. The alleged use of weekend transactions to dodge automated checks shows that controls operating "9-to-5" leave exploitable windows. Continuous, anomaly-based monitoring matters.
  • Detection lag compounds losses. A fraud caught in weeks is a Rs. 380 million problem; the same fraud caught after two years became a Rs. 13.2 billion one. Early-warning capability is itself a financial control.
  • Governance and culture sit above the controls. Technical controls only work when leadership enforces them and acts on red flags. Suppressed recommendations and conflicts of interest can neutralise an otherwise sound framework.

What to Watch Next

The story is still unfolding. Key developments to follow include the findings of the international forensic audit (and whether interim discoveries push the loss figure higher again), the outcome of the CID's pursuit of senior officials, how much of the diverted money — especially the crypto-converted portion — can actually be recovered, and whether the CBSL forces leadership changes at the bank.

For now, the clearest message is the one that corrects the original misconception: NDB was not hacked. It was defrauded from the inside. And in banking, that failure of trust and control can be every bit as damaging as any cyberattack.

Sources

  • Central Bank of Sri Lanka — "National Development Bank PLC – Internal Fraud" (cbsl.gov.lk)
  • EconomyNext — "EXPLAINER: Sri Lanka NDB's Rs. 13.2 billion internal fraud"
  • EconomyNext — "Sri Lanka's NDB says loss from internal fraud Rs13.2bn, trading halted"
  • Daily Mirror — "NDB Bank fraud shock deepens to Rs. 13.2 bn" / "NDB fraud exposes control gaps"
  • Daily FT — "Court orders arrest of senior NDB officials who aided alleged Rs. 13.2 b fraud"
  • The Island — "NDB fraud: Overseas forensic experts to probe governance lapses, CBSL confirms" / "Court orders further arrests in alleged USD 42 Mn NDB fraud case"
  • Newswire.lk — "Rs. 13.2 billion fraud at NDB: CBSL issues statement" / "NDB faces global forensic audit as fraud probe escalates"
  • Lanka News Web — "Rs. 13.2 Billion NDB Fraud Triggers National Banking Shock"

This article is a factual summary compiled from public reporting and official statements as of 22 May 2026. Details of the ongoing investigation may change; individuals named in connection with arrests are suspects and are presumed innocent unless and until proven guilty.

Tags

#NDB fraud#National Development Bank Sri Lanka#Rs 13.2 billion fraud#NDB internal fraud#CBSL#Sri Lanka banking scandal#operational risk#internal controls failure#CID investigation NDB

Keep Reading

Related writeups

News

When the Classroom Goes Dark: The Canvas Ransomware Attack That Hit Finals Week

A short explainer on the May 2026 Instructure Canvas breach by ShinyHunters — what happened, why it disrupted university finals, the ransom payment controversy, and the third-party risk lessons for every organisation.

#Canvas breach#Instructure ransomware#ShinyHunters
2026-05-22
ducky
24
4m
News

The Watchdog Left the Keys Out: CISA Contractor Exposes GovCloud Credentials on GitHub

A short explainer on the May 2026 CISA GitHub leak — a contractor exposed AWS GovCloud admin keys, plaintext passwords, and internal deployment data in a public repo for months. What happened, why it matters, and the secrets-management lessons for every team.

#CISA GitHub leak#AWS GovCloud credentials#secrets management
2026-05-22
ducky
20
4m
CVE

CVE-2026-32161 Explained — Windows WiFi Driver RCE Vulnerability

A simple beginner-friendly explanation of CVE-2026-32161, a remote code execution vulnerability affecting the Windows Native WiFi Miniport Driver.

#cve-2026-32161#windows wifi vulnerability#windows rce
2026-05-21
Ducky
34
3m