A self-described German security researcher has claimed responsibility for breaching the Malta Gaming Authority’s (MGA) systems, reportedly gaining access to sensitive data including operator compliance files and player records.
Lilith Wittmann, who presents herself as an ethical hacker, alleged last week via a social media post that was subsequently removed that she held material linking the regulator to organised crime within Malta’s gambling sector.
in a public statement on 17 March the MGA identified a breach within one of its systems and activated its internal response protocols. It said the event as being treated “with the utmost seriousness.”
The authority did not disclose specific details regarding the nature of the accessed data.
Wittman on 20 March admitted in a tweet that she had been the one to hack the regulator. “And yes, we will expose the organised crime enablement schemes you created while presenting yourselves as a ‘legitimate public service,’ she added.
MGA condemns Wittmann breach
The MGA condemned Wittmann’s claims in a follow-up statement on Friday. It said: “such conduct is unacceptable and incompatible with lawful engagement with public institutions and established governance frameworks.”
However the regulator noted Wittmann’s allegations were “unsubstantiated and do not undermine the MGA’s role as a regulator committed to transparency, due process and the rule of law”.
“The Authority operates within a robust legal and regulatory framework and carries out its statutory functions with integrity, independence and accountability,” it said.
Wittmann has been linked to ethical hacking within the gambling sector before.
In March 2025 she unveiled a vast player data breach across German gaming sites operated by Merkur Gaming. The instance involved the breach of unsecured APIs, and exposed approximately 800,000 player accounts through an unsecured API endpoint.
At the time she wrote in a blog that she had been able to access hugely sensitive player data through a GraphQL query, including banking details and sign-up information.
The incident raised questions around the protective measures operators and their third-party suppliers should have in place to protect players. At the time the German regulator (GGL) did not take a hard line stance against the companies in question.
But Wittmann highlighted the risk that the GGL could be implicated if hackers were to obtain additional player data from the regulator, using the breached information.
Original article: https://igamingbusiness.com/tech-innovation/cybersecurity/german-security-researcher-breaches-mga-claims-organised-crime/
