Who is the German hacker claiming responsibility for the MGA breach?

A German hacker has claimed responsibility for hacking the Malta Gaming Authority (MGA) and vowed to ‘expose the organised crime enablement schemes’ the regulator is alleged to be involved in.

Lilith Wittman posted her statement on X after the MGA confirmed last week that it was investigating a ‘system breach’ it believed was caused by an individual posing as a security researcher.

Wittmann wrote on X: “Dear Malta Gaming Authority, yes, I hacked you, and the data obtained has been shared with media partners, authorities,…

“I am certain that the information obtained is so valuable for the public discourse that obtaining it will one day, in the not-too-distant future, be seen as a justified necessity. We will expose the organised crime enablement schemes you created while presenting yourselves as a ‘legitimate public service’.”

Wittman went on to state that she hoped the German authorities are ‘for once, smart and do not extradite me’, warning that any action from the police in Malta would ‘trigger the immediate release of my entire archive of iGaming-related data’.

The MGA, in a statement, confirmed it was aware of the claims but said they are ‘unsubstantiated’ as it condemned any unauthorised access to its systems.

Who is Lilith Wittman?

Wittman is part of the Chaos Computer Club, which describes itself as Europe’s largest association of hackers, focused on highlighting technical and societal issues such as surveillance, privacy and freedom of information.

In the past, the group has been responsible for exposing flaws in Apple’s Touch ID and Germany’s banking system, as well as publishing the fingerprint of German Interior Minister Wolfgang Schäuble to demonstrate the dangers of biometric surveillance.

In 2021, Wittman, who is a security researcher in Berlin, hacked into the app of Germany’s ruling political party, the Christian Democratic Union (CDU), gaining access to the personal information of over 20,000 CDU members.

She also has a connection to both the gaming industry and Malta.

In March 2025, Wittman released a blog post that claimed that data held by Merkur Group for over a million players was publicly accessible, including payment data and identification records.

These data related to the merkurbets.de, crazybuzzer.de, and slotmagie.de websites, run by various subsidiaries of Merkur based in Malta and using software from the Maltese company The Mill Adventures.

At the time, Wittman contacted the German gaming regulator about the breach and stated her belief that security gaps in the software used by The Mill Adventure were partly responsible for the incident.

On the same day of the attack, Merkur moved to fix the vulnerability and implement security audits and additional internal safeguards.

Taking a more sinister turn

Unlike the incident involving Merkur and The Mill Adventure, Wittman has been quick to make accusations of criminality against the MGA.

In response, the MGA has argued that it operates with a ‘robust legal and regulatory framework’.

The regulator added: “[The MGA] carries out its statutory functions with integrity, independence and accountability. Allegations made in the context of unauthorised system access are unsubstantiated and do not undermine the MGA’s role as a regulator committed to transparency, due process and the rule of law.

“For more than two decades, the MGA has operated within established legal and governance frameworks, and will continue to do so.”

The MGA described Wittman’s conduct as ‘unacceptable and incompatible with lawful engagement with public institutions and established governance frameworks’.

Wittman responded to the statement in a further post on X, stating that claims of operating a robust legal framework would be called ‘organised crime structures’ in other countries.

For now, there has been no indication of what data Wittman has been able to access, if she was responsible for the attack, and what she plans to do with it.