A self-styled German security researcher has claimed she breached the Malta Gaming Authority‘s systems and is sitting on a trove of data she says exposes organized crime. Authorities are investigating. The clock is ticking.
On March 17th, the Malta Gaming Authority, the regulatory body that licenses and oversees one of the world’s most concentrated hubs of online gambling, published a terse statement on its website. It had “identified a breach within one of its systems” and had “immediately activated its internal response protocols”. All containment measures had been implemented as a precaution. Investigations were ongoing. The authority was treating the matter “with the utmost seriousness.”
It said very little else. It did not name anyone. It did not say what data had been accessed, or for how long, or what the consequences might be for the 304 licensed companies that operate under its authority. It promised further updates “in due course”. Three days later, on Friday, a German woman named Lilith Wittmann rendered that careful silence moot.
In a LinkedIn post that spread rapidly through the iGaming industry (and that was apparently quickly removed by LinkedIn), Wittmann gave a blistering and cryptic account of the breach. She wrote, in a message addressed directly to the MGA: “Dear Malta Gaming Authority, Yes, I hacked you, and the data obtained has been shared with media partners, authorities…” She then went further: “And yes, we will expose the organized crime enablement schemes you created while presenting yourselves as a ‘legitimate public service’.” She shared the same message on her X account which is still visible at the time of writing. Her posts weren’t as much a remorse filled confession as they were an opening statement.
Regulator/gatekeeper vs. ‘Chaos influencer’
To understand why this matters and the gravity of this situation, you need to understand what the MGA actually is. Malta is one of the most significant gaming hubs in Europe and indeed the world, playing host to firms such as Kindred Group, Betsson and LeoVegas. Gaming contributed an estimated EUR714.4 million ($828 million) in Gross Value Added in the first half of 2025 alone, representing 6.5 percent of Malta’s total economic output. The number of companies licensed by the MGA currently stands at 304, collectively holding 312 gaming licenses, and the sector employs over 14,500 people, which is roughly 5 percent of Malta’s workforce.
The MGA is not simply a regulator in the traditional sense. It is the gatekeeper to a vast, internationally significant industry. Its databases contain detailed financial and compliance information on hundreds of gaming operators, their beneficial owners, their players, and potentially their anti-money laundering filings. What Wittmann claims to have accessed is not a minor government database. It is, if her account is accurate, a map of one of Europe’s most lucrative and legally complex industries. An industry that won’t be too happy to have its laundry, no matter the state of it, aired in public.
Wittmann is 30 years old, Berlin-based, and not new to this kind of controversy. A self-described “Krawall-Influencerin” (roughly translating to “chaos influencer”) she dropped out of school at 16, completed a vocational qualification in software development, and later studied political science and sociology alongside commercial work. She is a member of a collective called “Zerforschung”, which investigates the security of IT systems. She’s also well known in the German cybersecurity world.
In 2021, she became briefly famous, or notorious (depending on your perspective), when she discovered that the election campaign app of one of Germany’s biggest political parties, the CDU, exposed the personal data of nearly 20,000 party members and the recorded political opinions of over half a million ordinary citizens. She followed responsible disclosure protocols, reporting the flaw to federal authorities and the CDU’s own data protection department before going public.
The CDU’s response was to file a criminal complaint against her. The Chaos Computer Club, Germany’s largest hacker association, announced it would stop cooperating with the CDU entirely following the complaint. The case was eventually dropped when investigators concluded the data had been so poorly protected it could not legally be said to have been “hacked” at all.
Escalated gambling industry focus
Wittman’s gambling industry focus, however, is more recent and more deliberately prosecutorial in character. In March 2025, she alleged a serious security incident at Merkur, one of Germany’s largest gambling companies, claiming it may have affected up to 800,000 players. The flaw stemmed from an improperly secured API lacking proper authorization controls. Her findings led, she claims, to the sudden closure of at least 12 gambling sites, after the software provider behind them cut off access to unregulated operators. Merkur, for its part, stated they did not consider Wittmann a criminal, describing her as an ethical hacker concerned with exposing vulnerabilities.
The MGA operation, she has now indicated, is the culmination of this investigation, or the beginning of something larger still. Wittmann’s LinkedIn post was not simply a confession. It contained a threat that transforms the legal and political calculus considerably. She wrote that she hopes “the German authorities are, for once, smart and do not extradite me to Malta, where I would face up to 10 years imprisonment for hacking a public service.” She then added: “Any police action from Malta would also trigger the immediate release of my entire archive of iGaming-related data.”
This is a significant escalation beyond anything in her previous work. She is not offering responsible disclosure. She is not waiting for authorities to respond before going public. She is, explicitly, using the threat of mass data publication as a shield against her own prosecution. Whether that constitutes extortion under Maltese or German law is a question that will keep lawyers busy for some time. What is clear is that it has put both the MGA and the German authorities in an extraordinarily uncomfortable position.
Legal repercussions
Wittmann has clearly studied her legal exposure. Malta’s Criminal Code provides penalties of up to four years for unauthorized access offenses in ordinary cases, with significantly higher penalties in aggravated cases affecting government or public-service functions. Whether those aggravated provisions would apply here would depend on the facts alleged by prosecutors. The harder question is whether Malta can compel Germany to surrender her. Wittmann is betting it cannot, or will not. That bet may be shakier than she believes.
The European Arrest Warrant has replaced the lengthy extradition procedures that used to exist between EU member states. A warrant issued by one EU country’s judicial authority is valid across the entire territory of the EU. For 32 categories of offenses – which include computer crimes – there is no requirement to verify whether the act constitutes a criminal offense in both countries, as long as it is punishable by a maximum of at least three years in the issuing state. Critically, EU countries can no longer refuse to surrender their own nationals (unless the executing state undertakes to execute the sentence or detention order itself under domestic law).
Germany’s own hacking laws offer her little comfort. Since 2007, German criminal code has made it sufficient that an offender merely gains access to data and the intention is irrelevant. The law does not distinguish between ethical and malicious hacking, though the precise application would depend on whether security measures were bypassed and how prosecutors characterize the conduct.
Germany could theoretically choose to prosecute Wittmann domestically for the same conduct rather than surrender her to Malta, a maneuver that would keep her within a more sympathetic legal culture. Whether German prosecutors would want to be seen going after a woman who claims to be exposing organized crime links in a foreign regulator is, ultimately, a political question dressed in legal clothing.
Whatever legal fate awaits Wittmann, the substance of her allegations demands serious scrutiny, not least because she says data has already been passed to media partners and authorities. She has not yet published it. That may change.
Waiting game
Her claim is a serious one: that the MGA, one of the world’s most respected gaming regulators, has been operating as an enabler of organized crime networks while presenting itself as a legitimate public service. She has offered no evidence publicly yet. The MGA has not dignified the allegation with a direct response, confining its public communications to the language of an IT incident report.
But the MGA’s silence on the substance of the accusation could itself be considered conspicuous. An authority this central to Malta’s economy and international reputation, accused this explicitly of facilitating criminality, might be expected to say something more than that it is “working closely with its technical teams.”
The iGaming industry has long been dogged by concerns about the degree to which an aggressively accommodating regulatory environment in Malta has enabled operators with questionable practices to obtain legitimate cover. Many in the industry know the various structures and corporate constructs there that have made the rounds via certain individuals and media outlets in the past.
Whether Wittmann’s data substantiates those concerns and confirms various things many people already suspect, or whether this turns out to be the grievances of a political activist with exceptional hacking skills and a taste for drama will depend entirely on what she actually releases, and when.
Three things are now in motion simultaneously. Malta’s authorities are investigating the breach and, almost certainly, preparing a legal response that could quite possibly include an application for a European Arrest Warrant. German authorities will be aware of Wittmann’s public statements and are faced with a choice: act against her under domestic law, cooperate with a Maltese extradition request, or find reasons to do neither. And Wittmann herself is sitting on what she describes as an archive of iGaming-related data of significant public interest, using it as both a calling card and a bargaining chip.
The MGA’s terse statement of March 17th was typical regulator crisis response: divulging as little as necessary and promising its attention to the matter. That strategy became untenable the moment Wittmann put her name to the breach on LinkedIn.
Malta’s gambling industry, its government, and the hundreds of companies that chose Malta precisely because of the credibility of its regulatory framework are now waiting to find out what she actually has, and what she intends to do with it.
