‘Yes, I hacked you’ – German hacker claims to be behind Malta Gaming Authority security breach

Berlin-based security researcher and activist Lilith Wittmann has claimed responsibility for a data breach at the Malta Gaming Authority (MGA).

In a public statement posted on X and LinkedIn addressed to the regulator, the Ms Wittmann wrote: “Yes, I hacked you,” adding that the information gathered would be used to expose what she described as “organised crime enablement schemes” linked to Malta.

She said that data obtained in the breach has already been shared with media and authorities.

Ms Wittmann further warned that any attempt by Maltese authorities to pursue legal action against her would result in the immediate release of her full archive of iGaming-related data.

She also expressed hope that German authorities would not extradite her, noting she could face up to 10 years in prison under Maltese law for hacking a public service.

The hacker suggested that further revelations are forthcoming, referencing “upcoming releases concerning organised crime networks supported by countries like Malta,” though she declined to provide additional details at this stage.

Earlier this week, the MGA confirmed that it has identified a breach within one of its systems and has activated internal response protocols.

The Authority said it implemented containment and mitigation measures immediately and is dedicating technical and operational resources to a full investigation.

“Initial indications suggest that the activity may be attributable to an individual presenting themselves as a security researcher,” the regulator stated, adding that investigations remain ongoing to establish the full scope of the incident and ensure appropriate safeguards are in place.

The Authority emphasised that it is treating the matter with “the utmost seriousness” and is working closely with relevant stakeholders. Further updates are expected to be provided to affected entities in due course.

In her statement, Ms Wittmann – a member of the Chaos Computer Club, an organisation dedicated to computer security – said that the data obtained is of significant public interest and could ultimately be viewed as a “justified necessity” for public discourse.

In a comment, she added that she had access to the MGA’s system “for months”, despite the regulator only becoming aware of the breach this week.

She also claimed that breaching the MGA’s systems was relatively straightforward, comparing it to a previous incident involving Germany’s Christian Democratic Union (CDU), where she exposed vulnerabilities in the party’s election campaign app in 2021. That case initially led to a criminal complaint before being dropped following public backlash.

Ms Wittmann has previously targeted entities within the iGaming ecosystem. In 2024, she accessed sensitive personal data of more than one million online casino players by exploiting vulnerabilities in software provided by Malta-based The Mill Adventure. Exposed data reportedly included names, email addresses, payment details and session information across several German-facing casino platforms.

The MGA was approached for comment.