German security researcher claims responsibility for MGA breach

(AsiaGameHub) –   A German security researcher has admitted to compromising the systems of the Malta Gaming Authority (MGA), reportedly accessing confidential data such as operator compliance documents and player records.

Lilith Wittmann, who identifies as an ethical hacker, claimed last week in a since-deleted social media post that she possessed evidence tying the regulator to organized crime within Malta’s gambling industry.

On March 17, the MGA publicly confirmed a security incident within one of its systems and engaged its internal response protocols, stating that the matter is being treated with the highest priority.

The authority refrained from revealing specific details about the nature of the compromised data.

Wittmann confessed to the hack in a tweet on March 20, adding, “And yes, we will expose the organised crime enablement schemes you created while presenting yourselves as a ‘legitimate public service’.”

MGA condemns Wittmann breach

The MGA issued a follow-up statement on Friday condemning Wittmann’s actions, describing them as “unacceptable and incompatible with lawful engagement with public institutions and established governance frameworks.”

The regulator asserted, however, that Wittmann’s allegations are “unsubstantiated and do not undermine the MGA’s role as a regulator committed to transparency, due process and the rule of law”.

“The Authority operates within a robust legal and regulatory framework and carries out its statutory functions with integrity, independence and accountability,” the statement continued.

Wittmann has a history of involvement in ethical hacking within the gambling sector.

In March 2025, she revealed a significant player data breach across German gaming platforms operated by Merkur Gaming. The breach exploited unsecured APIs, exposing approximately 800,000 player accounts through an unprotected endpoint.

At that time, she wrote in a blog post that she utilized a GraphQL query to access highly sensitive player data, including financial information and sign-up details.

The incident prompted scrutiny regarding the security measures operators and their third-party providers should employ to protect players. The German regulator (GGL) did not take a strict enforcement approach against the companies involved at the time.

Wittmann, however, warned of the risk that the GGL could be implicated if hackers used the breached information to steal further player data from the regulator itself.