German “ethical hacker” Lilith Wittman has taken responsibility for a data breach at the Malta Gaming Authority (MGA). Wittman said she hacked into the MGA’s system and has shared data with media partners and authorities. 

In a post on X, the self-described “riot influencer” said the hack was aimed at exposing the organized crime enablement schemes the MGA has created while presenting itself as a “legitimate public service.”

Wittman is a member of the Chaos Computer Club, which claims to be “Europe’s largest association of hackers.”

“I am certain that the information obtained is so valuable for the public discourse that obtaining it will one day, in the not-too-distant future, be seen as a justified necessity,” she added.

She previously took responsibility for hacking Germany’s Christian Democratic Union political party, and said it was just as easy to breach MGA’s system. 

Dear Malta Gaming Authority,
Yes, I hacked you, and the data obtained has been shared with media partners, authorities,….

And yes, we will expose the organized crime enablement schemes you created while presenting yourselves as a “legitimate public service”. pic.twitter.com/Z7EqRnNbCk

— Lilith Wittmann (@LilithWittmann) March 20, 2026

MGA Says Hack Was Unacceptable

The MGA released a statement condemning the attack. While Wittman claims to be an ethical hacker, the gaming regulator said this attack was unwarranted and came without any disclosure. 

“While the individual has sought to frame their actions as a form of ethical hacking, the MGA notes that the activity did not involve any recognised or good faith disclosure to the Authority,” said the organization in a press release. 

It also denied accusations that it is in any way facilitating organized crime. It added, “The Authority operates within a robust legal and regulatory framework and carries out its statutory functions with integrity, independence and accountability.”

Wittman admitted that she could face a prison sentence of up to 10 years if she is extradited from Germany to Malta to face charges. However, she threatened that any action would trigger a release of the data she had obtained. 

In a follow-up post on X, she stated, “Any police action from Malta would also trigger the immediate release of my entire archive of iGaming-related data.”

Why Did She Target The MGA?

Malta is one of the biggest online gambling hubs in the world, licensing over 300 companies. 

In addition, many gambling companies are based in Malta due to its reduced tax rates. 

For example, SkyBet, one of Flutter’s UK betting brands, relocated its headquarters to the country last year. The move was expected to save the company as much as £55 million ($72 million) in annual taxes. 

The country has also attracted investment from esports organizations. BLAST was one of several companies to commit to projects in Malta last year. 

However, less stringent regulations have led to the country facing accusations of allowing gambling companies to launder money. 

In 2021, the Financial Action Task Force (FATF), an intergovernmental organization that sets global standards to combat money laundering, added Malta to its grey list. The FATF said there was not enough oversight of gambling companies, with weak anti-money laundering enforcement. 

The organization removed Malta from the list in 2023 as the country was deemed to have implemented extensive reforms to align with FATF’s recommendations. In 2024, the MGA also teamed up with the UK Gambling Commission in a bid to curb criminal behaviour and combat the rise of gambling harm.

Tensions Between European Nations and Malta

However, tensions persist between other European countries. In 2023, Malta passed Bill 55, an amendment to the country’s Gaming Act. 

Authorities in Germany, Austria, and the Netherlands have all voiced concerns that the bill protects gambling companies that are violating the law in their countries. 

The Maltese Civil Court has refused to enforce Austrian judgments ordering refunds of gambling losses for residents who played on Malta-licensed gaming websites. 

Wittman did not reveal any details of the information she had obtained from the hack. The MGA insists it regulates gambling companies with due diligence. 

“The Authority operates within a robust legal and regulatory framework and carries out its statutory functions with integrity, independence and accountability,” said the regulator. 

With data obtained from the hack reportedly given to authorities, we may see further legal battles between the MGA and other European regulators.