A German cybersecurity researcher has publicly claimed responsibility for a recent breach of the Malta Gaming Authority’s computer systems, warning that data obtained during the hack has already been shared with journalists and law enforcement and threatening further disclosures.
Lilith Wittmann, a Berlin-based software developer and security activist who is a member of the Chaos Computer Club – described as Europe’s largest hackers’ association – posted on X alongside a screenshot of the MGA’s own breach announcement.
“Yes, I hacked you, and the data obtained has been shared with media partners, authorities,” she wrote, adding that she intended to “expose the organised crime enablement schemes you created while presenting yourselves as a legitimate public service.”
The MGA confirmed earlier this week that its systems had been accessed by someone who “presented” as a security researcher, saying it was treating the incident with the “utmost seriousness.” It has not confirmed who was responsible, which systems were affected, or whether sensitive data was compromised.
Wittmann expressed concern about potential extradition to Malta, where hacking a public service carries a maximum sentence of up to 10 years. “I am certain that the information obtained is so valuable for the public discourse that obtaining it will one day be seen as a justified necessity,” she said.
The claim lands in legally sensitive territory in Malta. In 2022, three University of Malta computer science students and their lecturer were arrested, strip-searched and criminally charged after responsibly disclosing security flaws in a student app, a case that sparked widespread outcry and eventually led to a Presidential Pardon in 2025 and the drafting of new laws to protect ethical hackers.
Wittmann herself has navigated similar controversies before. In 2021, she exposed serious vulnerabilities in the CDU’s campaign app in Germany. The party filed a criminal complaint, but withdrew it after a public backlash and the case was dropped.
More recently, she accessed personal data of over one million online casino players after exploiting weaknesses in software provided by Maltese company The Mill Adventure, a breach she described at the time as straightforward.
She made the same comparison about the MGA, saying the breach had been “as easy as hacking the CDU.”
