Lilith Wittmann strikes again – this time, Malta Business Registry data exposed via API flaw

Lilith Wittmann has once again turned her attention to Malta’s digital systems. But unlike her previous breach involving the Malta Gaming Authority, she insists this time there was no hack.

Instead, the Berlin-based security researcher and activist claims she was able to download more than 1.3 million documents from the Malta Business Registry for just €0.01 via its API, during a period when the registry was offline over the long weekend.

“Some gambling companies might not have been able to use the long weekend to start a new shell company in Malta,” she wrote. “That’s because, since Thursday, the Malta Business Registry has been offline. And no, this time I really did not hack you. You sold me 1.3 million PDFs for 1ct via your API.”

She added that she used the opportunity to effectively “back up” the registry, pointing to what she described as recurring issues with missing documents on the platform.

“I thought it might be a good idea to do a backup of the registry because we both know that it sometimes has the tendency to lose documents,” she said. “Which is not really a feature a public company register should ever have.”

According to Ms Wittmann, the dataset also enables faster identification of potentially suspicious corporate networks.

“A nice side effect is also that a full-text search index on a company registry enables me to identify companies that I would see as part of organised crime networks much faster than before,” she added.

The incident follows her high-profile breach of the Malta Gaming Authority earlier in March 2026, where she claimed to have had access to internal systems “for months” before the regulator became aware. 

At the time, Ms Wittmann, who is affiliated with the Chaos Computer Club, argued that the data obtained was of “significant public interest” and could be seen as a “justified necessity” for public discourse.

She also described the MGA breach as relatively straightforward, comparing it to her earlier work involving Germany’s Christian Democratic Union, where she exposed vulnerabilities in the party’s election campaign app in 2021. That case initially resulted in a criminal complaint, which was later dropped following public backlash.

Ms Wittmann has previously intersected with the iGaming ecosystem. In 2024, she accessed sensitive personal data of more than one million online casino players by exploiting vulnerabilities in software provided by Malta-based The Mill Adventure. The exposed data reportedly included names, email addresses, payment details and session information across several German-facing casino platforms.

While the Malta Business Registry incident differs in nature from a traditional breach, it raises equally serious questions around data governance, API security, and access controls. If confirmed, the ability to extract large volumes of official corporate documentation at negligible cost points to structural weaknesses rather than isolated failure. 

The latest episode suggests that vulnerabilities may not be limited to regulators alone, but extend to the broader infrastructure underpinning Malta’s corporate and compliance ecosystem.

Image credit: Lilith Wittman / Martin Moerke CC BY-SA 4.0