Three days later‚ on 20 March‚ a German cybersecurity researcher‚ Lilith Wittmann‚ claimed on X responsibility for the hack‚ stating that they had already passed the information to media partners and authorities and that they were planning to expose schemes that eased organized crime which had been created by the regulator itself․ This post was taken down shortly after posting but had already been reported on by several media outlets․
What is Wittmann actually saying?
Wittmann said she received operator compliance files and player information‚ and her claims against the MGA go beyond the technical breach․ Although she’s claiming some connection with organized crime for the regulator‚ she hasn’t shown any public material up to this point․ She said herself that she’s not ready to answer questions yet and will publish the material later․
She further threatened to release a larger trove of iGaming data she held if extradition to Malta were attempted․ In Malta‚ hacking a public institution is punishable by up to 10 years in prison․
The regulator’s response
MGA called the hack unacceptable and contested the publication of the stolen data․ The regulator rejected all allegations as unfounded and stated it would continue to operate as normal․
The MGA did not specify what was accessed‚ though it is unknown whether player records‚ operator documentation or internal files were hacked․
Who is Lilith Wittmann?
Wittmann has previously investigated matters related to iGaming‚ having published a March 2025 report detailing a security flaw on Merkur Gaming-managed German online gambling websites: the personal data of 800‚000 player accounts was exposed via an unsecured Application programming interface (API) endpoint․ The leak originated from software of the Maltese-based The Mill Adventure‚ which operates brands such as Merkurbets․de‚ Crazybuzzer․de‚ and Slotmagie․de on behalf of operators‚ but the GGL failed to adequately respond at the time of the leak․
Prior to researching gambling‚ Wittmann discovered vulnerabilities in Germany’s public sector‚ particularly regarding election systems‚ and regularly instigated investigations into these matters․
These allegations are different from those previously leveled
Wittmann has talked about not only technical matters but also claims that the regulator itself has links to organized crime․ This is a different kind of allegation though‚ and is not the first that Malta has faced on these grounds․
As part of a series of anti-mafia investigations in 2018‚ the MGA announced that it was conducting a sector-wide review of the companies offering services to Italian citizens․ In 2019‚ former MGA CEO Heathcliff Farrugia was implicated in a scandal in which confidential compliance data was leaked to local casino operator Yorgen Fenech‚ who was later arrested and imprisoned on several charges‚ including the murder of journalist Daphne Caruana Galizia․ Farrugia resigned in December 2019 following Fenech’s arrest․
What this means for MGA and the industry
With the MGA at the center of this bruhaha‚ the regulatory framework for the hundreds of operators within its jurisdiction reaches far beyond one cybersecurity issue․ Malta has issued licenses to more than 300 companies․ If Wittmann posts anything from the archive she claims to have‚ the industry will listen․
