German Hacker Claims Breach of Malta Gaming Authority, Threatens Exposure of Organized Crime Links

A self-styled German security researcher has claimed she infiltrated the systems of the Malta Gaming Authority and is holding a trove of data she says exposes organized crime, prompting an active investigation as authorities scramble to respond. On March 17, the MGA, which licenses and oversees one of the world’s most concentrated online gambling hubs, published a brief statement on its website, acknowledging that it had “identified a breach within one of its systems” and had “immediately activated its internal response protocols.” The regulator added that all containment measures had been implemented as a precaution and that investigations were ongoing, emphasizing that the matter was being treated “with the utmost seriousness.” Beyond this, the statement revealed little: it did not name anyone, specify what data had been accessed, how long it had been exposed, or outline any potential consequences for the 304 licensed companies under its authority, though it promised further updates “in due course.”

Three days later, a German woman named Lilith Wittmann shattered that silence. In a LinkedIn post that spread rapidly through the iGaming industry before apparently being removed, Wittmann delivered a blunt and cryptic account of the breach. Addressing the MGA directly, she wrote: “Dear Malta Gaming Authority, Yes, I hacked you, and the data obtained has been shared with media partners, authorities…” She then escalated the statement: “And yes, we will expose the organized crime enablement schemes you created while presenting yourselves as a ‘legitimate public service’.” Wittmann also shared the same message on her X account, which remains visible. Her posts were not framed as a remorseful confession but rather as a declaration of intent and a public opening statement.

The gravity of the situation becomes clearer when considering the MGA’s significance. Malta hosts firms including Kindred Group, Betsson, and LeoVegas, and gaming contributed an estimated EUR714.4 million ($828 million) in Gross Value Added in the first half of 2025 alone, roughly 6.5 percent of the country’s total economic output. The MGA licenses 304 companies holding 312 gaming licenses and oversees a sector employing over 14,500 people, about 5 percent of Malta’s workforce. The regulator’s databases contain detailed financial and compliance information on hundreds of operators, their beneficial owners, players, and potentially their anti-money laundering filings. Wittmann claims to have accessed all of this, turning what might be considered a minor IT breach into a potential map of one of Europe’s most lucrative and legally complex industries.

Wittmann, 30, based in Berlin, is no stranger to controversy. She calls herself a “Krawall-Influencerin,” or “chaos influencer,” dropped out of school at 16, completed a vocational qualification in software development, and later studied political science and sociology while working commercially. She is a member of the collective Zerforschung, which investigates IT security. Her previous notoriety includes uncovering a security flaw in the election campaign app of Germany’s CDU in 2021, which exposed nearly 20,000 party members’ personal data and the political opinions of over half a million citizens. She followed responsible disclosure, alerting authorities before going public, though the CDU filed a criminal complaint. The case was ultimately dropped when investigators concluded the data had been poorly protected and could not legally be said to have been “hacked.”

Her focus on the gambling industry is more recent. In March 2025, she reported a serious security flaw at Merkur affecting up to 800,000 players due to an unsecured API. The discovery led, she says, to the closure of at least 12 gambling sites after their software provider cut access to unregulated operators. Merkur, for its part, described Wittmann as an ethical hacker, not a criminal, concerned with exposing vulnerabilities.

The MGA incident, she indicates, is either the culmination of her investigation or the start of a broader effort. Her LinkedIn post was more than a confession—it carried explicit threats, stating she hoped “the German authorities are, for once, smart and do not extradite me to Malta, where I would face up to 10 years imprisonment for hacking a public service,” and adding, “Any police action from Malta would also trigger the immediate release of my entire archive of iGaming-related data.” This represents a stark escalation from prior disclosures: she is not offering responsible disclosure and is using the threat of mass data publication as a shield against prosecution. Whether this constitutes extortion under Maltese or German law is a question likely to occupy lawyers for some time. What is clear is that both the MGA and German authorities are now in a delicate position.

Wittmann appears aware of her legal exposure. Malta’s Criminal Code allows penalties of up to four years for unauthorized access, with harsher sentences for aggravated cases involving government or public-service systems. How these provisions might apply depends on prosecutorial interpretation. The European Arrest Warrant framework complicates matters further: a warrant from one EU state is enforceable across the bloc, including for computer crimes, and countries can no longer refuse surrender of nationals unless they will execute the sentence domestically. German law offers little protection either, as it criminalizes unauthorized data access regardless of intent, though outcomes hinge on whether security measures were bypassed and prosecutorial characterization. Germany could theoretically prosecute her domestically instead of extraditing her, a decision that may hinge on political as well as legal considerations.

Regardless of her legal fate, Wittmann’s claims demand scrutiny, particularly as she asserts that some data has already been shared with media partners and authorities. She has not yet released the data publicly, though that may change. Her allegation—that the MGA has operated as an enabler of organized crime while presenting itself as a legitimate regulator—is severe. The MGA has confined public statements to acknowledging the IT incident, stating only that it is “working closely with its technical teams,” without addressing the substance of her claims.

Malta’s gambling industry, its government, and the hundreds of companies that rely on the credibility of the MGA are now left waiting to see what data Wittmann possesses and what she intends to do with it. The MGA’s initial statement of March 17 was a typical regulatory crisis response, offering minimal detail. That strategy became untenable the moment Wittmann attached her name to the breach. Authorities in Malta and Germany, along with the iGaming sector, now face a high-stakes uncertainty over the veracity and potential impact of her archive.

By fLEXI tEAM