| Item | Type | Forensic Significance | Grade |
|---|---|---|---|
| E-11 — NDB CEFT Timeout Letter (Mar 17, 2026) | Official NDB letter | Proves CEFT timeout-induced phantom credits known inside NDB since July 2023 — 12 months before fraud period. Reconciliation sweep started Feb 27 — 33 days pre-disclosure. | Confirmed |
| E-12 — NDB Customer Assurance Letter (Apr 8, 2026) | Official NDB letter | Dual-signed: Chairman Sriyan Cooray + CEO Kelum Edirisinghe. Confirms CBSL informed "from the outset." Definitively confirms Chairman name. | Confirmed |
| E-13/14 — Extended WhatsApp +254 Script (3 new screens) | Screenshots | ATM deposit mechanism confirmed. Agent franchise model: 5% per recruit, $20k throughput. Active territory expansion in Sri Lanka. | Confirmed |
| E-16 — Sinhala Social Media Post | Social media | "Buy Today" named as crypto intermediary. Password theft mechanism. Rs. 3.9B suspect figure. No corroboration — monitor for CID court naming. | Unverified |
| E-17 — Reddit r/srilanka — Former Auditor Comment | Public forum | Independent expert validation: "not one person's task — Accounts, internal audit, external auditors all involved." Confirms multi-layer failure thesis. | Strong |
| T-02 — Mirror Trading / Derivative Laundering Theory | Analytical theory | 5-step flow: opposing positions across exchanges, one side liquidates, value reappears as trading P&L on clean exchange. Consistent with Chinese-language offshore evidence. | Credible hypothesis |
Most forensically significant new finding in v5
This letter upgrades the CEFT exploit from theory to documented institutional knowledge. NDB's own CEFT team formally documented a timeout-induced duplicate credit in writing in 2023. The reversal only happened in a sweep starting February 27, 2026 — 33 days before the first public disclosure on April 2. The sweep was almost certainly triggered by the internal fraud investigation already underway.
Exhibit E-11 · NDB Letter · 17 March 2026Source: Reddit r/srilanka
NDB formal letter: "Clarification on Payment Reversal Processed on Credit Card #4815" — dated 17 March 2026
Key passages — full transcript
Original transaction: July 26, 2023 — Rs. 250,000 via CEFT.
The timeout: "Our CEFT team later confirmed that this transaction was unsuccessful due to a timeout."
Duplicate credit created: Card reflected Rs. 500,000 on July 27. "This duplication remained unnoticed at the time."
Duration undetected: July 2023 → February 2026 = 2.5 years.
Reversal applied: February 27, 2026 — during "reconciliation process."
Letter dated: March 17, 2026 — same day as CRO "multiple layers of defence" investor webinar.
The timeout: "Our CEFT team later confirmed that this transaction was unsuccessful due to a timeout."
Duplicate credit created: Card reflected Rs. 500,000 on July 27. "This duplication remained unnoticed at the time."
Duration undetected: July 2023 → February 2026 = 2.5 years.
Reversal applied: February 27, 2026 — during "reconciliation process."
Letter dated: March 17, 2026 — same day as CRO "multiple layers of defence" investor webinar.
Three forensic implications
1. CEFT timeout creating phantom credits was a known, documented failure mode — yet the same mechanism ran undetected for 18 months in the fraud operation.
2. The February 2026 reconciliation sweep timing — 33 days pre-disclosure — confirms NDB had internal knowledge of the full scale before informing the market.
3. The March 17 letter and the CRO webinar are the same day. NDB was acknowledging CEFT control failures in writing to customers while publicly reassuring investors.
2. The February 2026 reconciliation sweep timing — 33 days pre-disclosure — confirms NDB had internal knowledge of the full scale before informing the market.
3. The March 17 letter and the CRO webinar are the same day. NDB was acknowledging CEFT control failures in writing to customers while publicly reassuring investors.
Exhibit E-12 · NDB Customer Letter · 8 April 2026
Signed by Sriyan Cooray (Chair, Board of Directors) and Kelum Edirisinghe (CEO)
Four forensic implications
1. Chairman name confirmed definitively. "Sriyan Fernando" (widely reported incorrectly) is wrong. This signed document confirms Sriyan Cooray.
2. CBSL informed "from the outset." Combined with the CBSL backstop letter dated April 5 — one day before the Rs. 13.2B disclosure — confirms weeks of behind-closed-doors regulatory knowledge before the public knew.
3. Internal controls rebuild confirmed. "Already begun strengthening our internal controls and oversight mechanisms."
4. Personal accountability on record. Both Chair and CEO signed specific public assurances. If those assurances prove inaccurate, personal liability is on the table.
2. CBSL informed "from the outset." Combined with the CBSL backstop letter dated April 5 — one day before the Rs. 13.2B disclosure — confirms weeks of behind-closed-doors regulatory knowledge before the public knew.
3. Internal controls rebuild confirmed. "Already begun strengthening our internal controls and oversight mechanisms."
4. Personal accountability on record. Both Chair and CEO signed specific public assurances. If those assurances prove inaccurate, personal liability is on the table.
Same operator +254 798 794782 — 4 screens now available giving the complete mule recruitment conversation
Three new screenshots reveal: (1) ATM deposit as the specific fraud mechanism, not CNP/online, (2) "I wish I had an agent in your country" — active territory building, (3) Professional 5% franchise commission at $20k per mule account throughput.
Screen 1 (E-07) — BIN 555920 onboarding
Screen 2 (E-13) — ATM deposit revealed
Screen 3 (E-14) — Agent franchise 5%
E-13 — ATM Deposit Mechanism Confirmed
Recipient: "But to transfer the money you don't need a card number right? Account number itself is enough right"
Operator: "I need these numbers bro because it is an ATM deposit. I need the card number."
Why this matters: Fraud channel is ATM card-to-card deposit fraud — not online CNP. Card number + expiry only. No CVV. No OTP triggered. Explains why victims report no OTP — the transaction never entered the OTP authentication pathway.
Operator: "I need these numbers bro because it is an ATM deposit. I need the card number."
Why this matters: Fraud channel is ATM card-to-card deposit fraud — not online CNP. Card number + expiry only. No CVV. No OTP triggered. Explains why victims report no OTP — the transaction never entered the OTP authentication pathway.
E-14 — Agent Franchise Model
Operator: "Can you get more people who can even open the bank right now? I wish I had an agent in your country bro"
Recipient: "I'll be the agent"
Operator: "For every person you find and they cooperate, I will be giving you a 5% of all the money. So imagine 5% of $20k from 5 or 10 people bro"
Confirmed: Professional multi-level recruitment. Expected throughput per mule: $20,000. This is a structured franchise operation, not opportunistic fraud.
Recipient: "I'll be the agent"
Operator: "For every person you find and they cooperate, I will be giving you a 5% of all the money. So imagine 5% of $20k from 5 or 10 people bro"
Confirmed: Professional multi-level recruitment. Expected throughput per mule: $20,000. This is a structured franchise operation, not opportunistic fraud.
Exhibit E-06 — Social Media CompositeSource: NDB_Bank_Internal_Fraud_1.pdf
Telegram BIN 530525 probe (Nov 13, 2025) · Facebook mule recruitment in SL groups · Chinese-language offshore exchange · NDB Official Statement
Key observations: (1) Telegram Nov 13, 2025 — advertising existing credentials, not requesting them. (2) Facebook: BIN 530525 specific solicitation — "message for refund work." (3) Chinese WeChat: offshore actor requesting NDB account access. (4) Profiles visible: Kamesh Diego, Ruby/Ishtikar Junaid, Johany — active engagement.
Exhibit E-10 — Fraud Actor Network MapSource: NDB_Bank_Internal_Fraud.pdf
Three-layer structure: central hub identity → Facebook/Telegram distribution layer → NDB card fraud victim layer
Hub-and-spoke: Central identity managing multiple profiles connects via visible threads to downstream Facebook/Telegram recruiters. Victim layer (NDB customer complaint threads) connected to the network confirms the chain from data theft to real-world card fraud to victims.
Handle with caution — not in any court record or credible press
The "Buy Today" name and Rs. 3.9B figure have zero corroboration. May be genuine intelligence leaking through social media before official confirmation, or speculation. Do not publish as confirmed. The only "buytoday.lk" found in searches is a small consumer fashion page — unrelated. Watch for this name appearing in future CID court proceedings.
Exhibit E-16 — Sinhala Post"Wilus Mama" / source closed platform
Claims graded
| Claim | Grade |
|---|---|
| Main suspect stole Rs. 3.9 billion | Unverified |
| 17-day remand | Unverified |
| Stolen staff passwords used | Plausible — not confirmed |
| "Buy Today" as crypto intermediary | Unverified |
| Crypto used for cashout | Confirmed (major CEX, court Mar 12) |
| Senior bank official as primary suspect | Confirmed (IT Deputy Manager) |
Exhibit E-17 — Reddit Commentsr/srilanka · u/SnooObjections100
u/SnooObjections100 — Former Auditor & Current Accountant
"It's certainly not one person task. Definitely Accounts Dept needs to be involved as well as internal audit team too. Questions will be raised about external auditors too as this has been happening for more than 2 years."
Why this matters as independent validation
This is a professional accountant — not a DAIT source — arriving from first principles at the same multi-layer institutional failure conclusion. It independently validates: (1) the multi-function involvement thesis, (2) the EY oversight failure concern, (3) the 2+ year duration point. Community reaction also shows real depositor flight risk — one commenter moving Rs. 50M+ across banks.
Status: Analytical hypothesis — consistent with offshore evidence — not confirmed
Addresses why a direct P2P sale of ~$42M USDT would leave an obvious blockchain trail, yet no chain analysis has surfaced. The mirror trading structure transfers value at the derivative settlement layer, not the wallet layer — invisible to standard blockchain analysis tools.
DAIT Expert Analysis — Publishable framing
"One technique that appears consistent with the movement pattern here — coordinated derivative positions across exchanges, where one side intentionally liquidates while the other profits, with value effectively reappearing on a clean exchange looking like trading income. Whether that's what happened here I can't confirm — but it's the kind of structure that fits when you need to move large value across jurisdictions without a direct on-chain fingerprint."
01
Funds enter Exchange A — source side
Stolen funds converted to crypto via P2P on a major centralised exchange and deposited onto Exchange A — the dirty source side. The exchange was confirmed in court proceedings March 2026.
02
Opposing positions opened across Exchange A and Exchange B
Long position on Exchange B (clean destination). Corresponding short on Exchange A (dirty source). Same actor or coordinated counterparty controls both sides.
03
Exchange A short liquidated intentionally
Margin not maintained — short liquidates. Funds on Exchange A appear "lost" as a trading loss. Looks like normal speculation gone wrong.
04
Value reappears on Exchange B as trading profit
Long position profits correspondingly. Same value now exists on Exchange B — different exchange, different jurisdiction, different KYC layer — appearing as legitimate trading income.
05
Clean funds withdrawn — connection severed
Exchange B withdrawal looks like a normal trading payout. The value transfer happened at the settlement layer, not the blockchain layer. Standard chain analysis cannot detect this. The Chinese-language offshore coordinator (Exhibit E-06) is consistent with running this kind of cross-exchange position.
Why this fits NDB specifically
Scale: $42M direct P2P would be detectable. Derivative route is not.
Offshore actor: The Chinese-language WeChat exchange matches the profile of a cross-exchange derivatives coordinator, not a simple P2P buyer.
Precedent: Structurally identical to Deutsche Bank mirror trading scandal ($10B+, 2011–2015) and documented Southeast Asian crypto derivative laundering networks since 2021.
Forensic test: Subpoena exchange records for accounts linked to +254 operator and Chinese coordinator. Look for coordinated opposing positions opened within 24 hours of NDB CEFT transfers.
Offshore actor: The Chinese-language WeChat exchange matches the profile of a cross-exchange derivatives coordinator, not a simple P2P buyer.
Precedent: Structurally identical to Deutsche Bank mirror trading scandal ($10B+, 2011–2015) and documented Southeast Asian crypto derivative laundering networks since 2021.
Forensic test: Subpoena exchange records for accounts linked to +254 operator and Chinese coordinator. Look for coordinated opposing positions opened within 24 hours of NDB CEFT transfers.
F-13 — A major centralised exchange confirmed as the crypto cashout channel in court, March 12, 2026
Suspects accused of "fraudulently obtaining public deposits and routing the funds through cryptocurrency trades using accounts on a major centralised exchange." Magistrate Bodaragama called it "not ordinary theft" and issued three orders: (1) CBSL to prevent local currency moving overseas via crypto; (2) CID to act against exchange-facilitated fraud; (3) public awareness program on crypto risks. The exchange confirmed full cooperation with Sri Lankan law enforcement, citing KYC compliance and its regulatory licensing.
The critical gap this confirmation creates
CEX P2P operates through local traders as counterparties. The specific P2P desks or OTC traders who handled the LKR→crypto conversion remain unnamed. If "Buy Today" exists as a P2P desk on this exchange, it would appear in cooperation records shared with CID — not yet in public court documents.
Sri Lanka crypto legal context
Crypto not illegal but banks are prohibited from processing crypto-related card transactions under the Foreign Exchange Act. This forces all LKR→crypto conversion through P2P cash trades — less regulated, harder to trace — exactly the structure the +254 operator was building mule accounts to access.
| Ref | Finding | Source | v5 |
|---|---|---|---|
| F-01 | Rs. 13.2B total fraud confirmed | NDB CSE Disclosure #2, Apr 6 | |
| F-02 | Employees in collusion with "a third party or parties" | NDB CSE Disclosures | |
| F-03 | CEFT weekend window — 70+ transactions Rs. 5M each in final weekend alone | CEO statement Apr 8 | |
| F-04 | CEO acknowledged control failures: "collusion and monitoring gaps" | CEO media roundtable Apr 8 | |
| F-05 | 35× understatement — Rs. 380M → Rs. 13.2B in 4 days, no explanation | CSE comparison | |
| F-06 | 86-day silence gap — CID court Jan 7, no disclosure until Apr 2 | SL Mirror + CSE | |
| F-07 | CBSL private backstop Apr 5 — before public disclosure of true scale | NDB CSE Disclosure | |
| F-08 | Basel III Pillar II systems did not trigger — officially unexplained | EconomyNext | |
| F-09 | All implicated employees suspended, system access revoked | NDB official statement | |
| F-10 | Board dual-signed customer assurance letter — Chair Cooray + CEO Edirisinghe | NDB customer letter (E-12) | ✓ |
| F-11 | WhatsApp ATM deposit mechanism confirmed: "I need card number because ATM deposit" | Screenshot E-13 | ✓ |
| F-12 | 5% referral commission, $20k per mule throughput confirmed by +254 operator | Screenshot E-14 | ✓ |
| F-13 | Major CEX named in court as crypto cashout channel — March 12, 2026 | Daily Mirror, Crypto Times, SL Guardian | ✓ |
| F-14 | CEFT timeout failure mode documented by NDB's CEFT team since July 2023 | Official NDB letter (E-11) | ✓ |
| F-15 | NDB reconciliation sweep started Feb 27, 2026 — 33 days before first public disclosure | Official NDB letter (E-11) | ✓ |
Q-01
Who is the unnamed mastermind?
CEO confirmed "70+ Rs. 5M transactions" in the final weekend. Person identified internally but unnamed publicly. One source claims fled to Chennai. Interpol notice pending?
Q-02
Who are the "third party or parties"?
NDB's own disclosure names external parties but doesn't identify them. Is "Buy Today" one of them? Watch CID court hearings for naming.
Q-03
Was the card database bulk-extracted and sold on dark web / Telegram markets?
Check core banking system query logs for bulk SELECT/EXPORT on cardholder table. Who, when, which terminal.
Q-04
Was mirror trading / derivative laundering used as the value transfer mechanism?
New v5 question. Subpoena exchange records for coordinated opposing positions linked to +254 operator and Chinese-language coordinator. Look for positions within 24 hours of NDB CEFT transfers.
Q-05
Who are the specific P2P traders on the identified CEX who handled LKR to crypto conversion?
The exchange cooperated with CID. The local P2P counterparty identities remain unnamed. These are the "last mile" of the cashout chain.
Q-06
Why did EY not flag the Rs. 12.22B Other Financial Assets anomaly?
9× above historical average, 4× year-on-year. No qualified opinion. Which EY partner signed the NDB engagement? What explanation did they accept from management?
Q-07
Did the board know about the January 7 court hearing before April 2?
Shanil Fernando joined the board January 13 — 6 days after the court hearing. The 86-day non-disclosure may be a CSE Rule 7.10 breach. Were board members briefed?
Q-08
How many card fraud victims? Were any compensated?
Rs. 13.2B covers GL fraud only. Card fraud victims are a separate unacknowledged group. What is the total card fraud value?
Q-09
Who is the forensic auditor? What is their mandate scope?
NDB announced a forensic audit on April 6. As of April 9, no auditor publicly named. Independence and mandate scope are critical signals to watch.
Confirmed — official source
Strong — corroborated
Unverified — single source
No basis
| Claim | Source type | Grade | v5 |
|---|---|---|---|
| Rs. 13.2B total fraud | Official CSE disclosure | Confirmed | |
| CEFT Rs. 5M weekend batches — CEO confirmed | CEO public statement Apr 8 | Confirmed | |
| IT Deputy Manager arrested, Rs. 100M+ through account | Court record | Confirmed | |
| Mohammed Mubarak Hamza remanded | Court record — named | Confirmed | |
| CEO questioned by CID | CID to court Jan 7 | Confirmed | |
| CBSL backstop Apr 5 before public disclosure | NDB CSE filing | Confirmed | |
| BIN 530525 targeted Nov 13 (E-06) | Social media screenshot | Confirmed | |
| Fraud actor network map (E-10) | Submitted document | Confirmed | |
| WA ATM deposit mechanism (E-13) | Submitted screenshot | Confirmed | ✓ |
| WA 5% agent commission $20k/mule (E-14) | Submitted screenshot | Confirmed | ✓ |
| Major CEX named in court Mar 12 (F-13) | Daily Mirror, Crypto Times | Confirmed | ✓ |
| CEFT timeout documented July 2023 (E-11, F-14) | Official NDB letter | Confirmed | ✓ |
| Feb 27 reconciliation sweep — 33 days pre-disclosure (E-11, F-15) | Official NDB letter | Confirmed | ✓ |
| Board dual-signed customer letter — Chair Cooray (E-12) | Official NDB letter | Confirmed | ✓ |
| Card database sold on dark web/Telegram | Analytical inference | Strong hypothesis | |
| Mirror trading derivative laundering (T-02) | Analytical theory | Credible hypothesis | ✓ |
| "Buy Today" as crypto intermediary | Sinhala social media only | Unverified | ✓ |
| Stolen staff passwords mechanism | Sinhala social media only | Unverified | ✓ |
| Mastermind fled to Chennai | Single confidential source | Unverified | |
| Offshore BVI shells / fake invoices | WhatsApp fiction only | No basis |
| Version | Ref | Date | Key additions |
|---|---|---|---|
| v1.0 | DAIT-2026-NDB-001 | Apr 7 | Core facts, Rs.13.2B, 86-day silence, GL mechanism. Published t.me/Ceyntel/21. |
| v2.0 | DAIT-2026-NDB-002 | Apr 8 | Card fraud layer — BIN 530525, Telegram/Facebook evidence, WA mule script. |
| v3.0 | DAIT-2026-NDB-003 | Apr 8 | Named persons, full board registry, management roster, EY auditor analysis. |
| v4.0 | DAIT-2026-NDB-004 | Apr 8 | Fraud actor network map, all evidence packages embedded, interactive report. |
| v5.0 | DAIT-2026-NDB-005 | Apr 9 | CEFT proof letter, NDB customer letter, 4-screen WA script, CEX court confirmation, mirror trading theory, 15 confirmed findings. Exo 2 fonts + CeylonCash logo added. |
Misinformation still active
The fictional WhatsApp narrative — BVI shells, fake invoices, fabricated characters — is still circulating. Zero evidence basis. Do not distribute as intelligence.