As massive protests against Sri Lankan president Gotabaya Rajapaksa entered their eighth week, last month the hacktivist collective Anonymous stepped up to show support — in ways that have left cybersecurity experts and the general public alarmed and wondering whether the organization was doing more harm than good.
On April 20, Anonymous, the decentralized collective of internet activists, hit the websites of the Ceylon Electricity Board, the Sri Lanka Police, and the Department of Immigration and Emigration using distributed denial-of-service (DDoS) attacks. Twitter handles affiliated with Anonymous said the group had started the #OpSriLanka hashtag in support of the people and was “declaring cyberwar against the government.”
Many Sri Lankans had been calling for the group to step in, using the hashtag #AnonymousSaveSriLanka on social media. But as part of the attack, Anonymous hackers publicly shared thousands of usernames, passwords, and email addresses from the database of Sri Lanka Scholar, a private portal that connects students to various higher education institutions and uses the official “.lk” domain. The hackers released similar information about the agents registered with the Sri Lanka Bureau of Foreign Employment (SLBFE).