Malta’s gambling regulator is facing heightened scrutiny after a German security researcher publicly claimed responsibility for breaching one of its systems and accessing sensitive data. The incident, first acknowledged by the Malta Gaming Authority earlier in the week, has since escalated following detailed allegations and threats made online.

Hacker Claims Responsibility and Issues Warning

The Authority confirmed it had “identified a breach within one of its systems” and stated it had “immediately activated its internal response protocols.” It added that containment and mitigation measures were implemented as a precaution while investigations continue. At the time of the initial disclosure, the regulator did not identify the individual involved or provide details about the extent of the data exposure.

Days later, Lilith Wittmann, a Berlin-based security researcher, publicly claimed responsibility. In a message directed at the regulator, she stated: “Dear Malta Gaming Authority, Yes, I hacked you, and the data obtained has been shared with media partners, authorities…”

She followed with a more serious allegation, writing: “And yes, we will expose the organised crime enablement schemes you created while presenting yourselves as a ‘legitimate public service’.”

As reported by NEXT.io, Wittmann also warned of further consequences if legal action is taken against her. She stated that extradition efforts could trigger a wider release of data, adding: “Any police action from Malta would also trigger the immediate release of my entire archive of iGaming-related data.”

Her statements suggest that the breach may involve a substantial volume of information. According to her claims, the material could be relevant to public debate, although no evidence has yet been released publicly to support the allegations.

Regulator Rejects Allegations and Defends Framework

The Malta Gaming Authority responded with a firm statement, rejecting the claims and emphasizing its regulatory standards. It said it is “aware of public statements made by an individual claiming responsibility for unauthorised access to one of the Authority’s systems and making a series of allegations and threats in that context.”

The regulator added: “The MGA condemns any unauthorised access to its systems and any extraction, handling or dissemination of data obtained through such activity.”

It further stated: “Such conduct is unacceptable and incompatible with lawful engagement with public institutions and established governance frameworks.”

Addressing the accusations directly, the Authority noted: “The Authority operates within a robust legal and regulatory framework and carries out its statutory functions with integrity, independence and accountability. Allegations made in the context of unauthorised system access are unsubstantiated and do not undermine the MGA’s role as a regulator committed to transparency, due process and the rule of law.”

The statement also reaffirmed its long-standing position, adding: “For more than two decades, the MGA has operated within established legal and governance frameworks and will continue to do so.”

Broader Implications for the iGaming Sector

The situation has drawn attention due to the central role the regulator plays within the global online gambling industry. Malta remains a major licensing hub, with hundreds of operators relying on its framework. Any potential exposure of internal systems or data could have implications for companies operating under its authority.

Wittmann is not new to the gambling sector. She previously identified vulnerabilities in systems linked to a major German operator, an incident that reportedly led to the closure of several offshore sites. Her approach has attracted attention for combining technical findings with public disclosures.

Authorities in Malta continue to investigate the breach and assess its scope. The regulator has indicated that it is working with technical teams and relevant bodies to establish the full facts and determine appropriate next steps. It also stated that further updates will be provided as the situation develops.

At this stage, the key issues remain unresolved. The regulator has not confirmed what data, if any, was accessed, and Wittmann has not released supporting evidence for her claims. The outcome will likely depend on both the findings of the ongoing investigation and any future disclosures.