A Berlin-based hacker has now breached three major targets connected to gambling in escalating order — a political party’s app, a Malta-based platform powering German casinos, and the Malta Gaming Authority itself — and each time she says it was trivially easy. The pattern emerging from Lilith Wittmann’s disclosures is more damning than any single breach: an industry that stores the most sensitive personal and financial data imaginable, protected by security a hobbyist could defeat, overseen by a regulator with documented ties to organized crime that responds to exposure with legal threats rather than reform. For the millions of players who trust MGA-licensed casinos with their identities, bank details, and gambling histories, the implications are severe and immediate.
The MGA regulates 304 companies holding 312 gaming licences, generating €1.386 billion in gross value added — 6.7% of Malta’s entire economy. It bills itself as iGaming’s “gold standard.” Yet Wittmann, a 30-year-old Chaos Computer Club member who dropped out of school at 16, claims she walked through its digital front door, extracted data she says proves “organised crime enablement schemes,” and shared it with unnamed media partners and authorities. The MGA calls her claims “unsubstantiated.” She calls their security “as easy as hacking the CDU.” The data, she says, will speak for itself.
KEY FACTS AT A GLANCE
- Who: Lilith Wittmann, 30, Chaos Computer Club member, Berlin-based security researcher
- What: Three escalating breaches — CDU Connect app (2021), Merkur/Mill Adventure casino platform (2025), Malta Gaming Authority (2026)
- MGA scale: 304 companies, 312 licences, €1.386 billion in gross value added — 6.7% of Malta’s GDP
- Mill Adventure data exposed: 200 GB across 800K–1M player records, 70,000+ identity documents, payment data from seven providers
- MGA response: Called organized crime claims “unsubstantiated,” condemned the breach as “unacceptable”
- Dead man’s switch: Wittmann warns any police action from Malta triggers immediate release of her “entire archive of iGaming-related data”
The riot influencer who keeps finding unlocked doors
Lilith Wittmann describes herself as a “Krawall-Influencerin” — a riot influencer — and the “black bloc of administrative digitalization.” Born September 26, 1995, she dropped out of school at 16, completed vocational training as an application developer, worked at an international management consultancy, then pivoted to security research and political activism. She studied political science, sociology, and public administration while working. She is a member of the Chaos Computer Club, Europe’s largest hacker association, and co-founded bundesAPI, a satirical “Federal Office for Open Data” that shames government agencies into releasing public data. She operates through zerforschung, a hacker collective dedicated to investigating IT system security.
Her track record extends well beyond gambling. In 2021 alone, she exposed flaws in the Luca contact-tracing app, dismantled the German government’s ID Wallet app within days of its launch, and — most dramatically — unmasked a front company of the Bundesamt für Verfassungsschutz (Germany’s domestic intelligence service) by hiding an Apple AirTag in a postal package and tracking it to BfV headquarters in Cologne. In 2023, she generated a fraudulent credit report in the name of CDU politician Jens Spahn using a vulnerability in Bonify, a Schufa subsidiary. In December 2024, she presented findings on German prison system vulnerabilities at the 38th Chaos Communication Congress, revealing that prisoner connection data — call logs, relationship details, cell block information — was accessible through unprotected API endpoints.
Her methodology is consistent across all targets: she finds obvious, often elementary security failures, reports them through responsible disclosure channels, publishes when she believes the public interest demands it, and weathers the inevitable legal threats.
“CDU and SPD passed the hacker paragraph despite repeated warnings about consequences for civil society security research. It’s unfortunate but not really unexpected that the CDU is now persecuting inconvenient security researchers like myself on the basis of this paragraph.”
— Lilith Wittmann, to netzpolitik.org (2021)
What distinguishes Wittmann from typical security researchers is not technical sophistication but tactical boldness. She operates in the open, under her real name, with 44,700 followers on X, a Medium blog, and a Patreon funding her work. She does not find zero-day exploits or deploy advanced tooling. She finds doors left wide open — and walks through them in broad daylight.
Three breaches in five years trace a single thread
Act I: The CDU Connect app (May–August 2021)
The pattern began with politics. In May 2021, Wittmann spent “a few hours” investigating CDU Connect, a canvassing app used by campaign workers ahead of Germany’s federal election. She discovered the app’s backend API had zero access controls — no authentication, no password, no API key. Anyone could query the endpoints and retrieve all stored data.
The exposure was substantial: personal data of roughly 18,500 campaign workers (email addresses, photos), 1,350 CDU supporters (addresses, dates of birth), and approximately 500,000 data points about the political opinions and attitudes of canvassed citizens, tied to geographic locations down to individual houses. She reported the vulnerability simultaneously to CDU’s data protection officer, CERT-Bund, and Berlin’s data protection authority on May 12, 2021.
CDU’s response established the template. Bundesgeschäftsführer Stefan Hennewig contacted Wittmann via his private Twitter account, then called her. During that call, he asked her to confirm she hadn’t saved data, offered her a consulting contract (declined), asked her to sign a non-disclosure agreement (refused), and then threatened to file a criminal complaint. On July 1, 2021, CDU filed a formal criminal complaint against “Lilith Wittmann und Unbekannt” at LKA Berlin.
When Wittmann published the criminal investigation letter on Twitter in early August, the backlash was immediate and severe. The CCC announced it would no longer report security vulnerabilities to the CDU.
“The CDU does this not only in this case, but also with digitalization and other important political issues. In that sense, this destructive approach is only consistent.”
— Linus Neumann, CCC spokesperson
The CDU withdrew the complaint within a week. Berlin prosecutors dropped the case entirely — not because of the withdrawal, but because the data had no protection whatsoever and therefore could not be “hacked” under German law.
Act II: The Mill Adventure / Merkur Group (February–March 2025)
Four years later, Wittmann turned to gambling. While researching German state gambling infrastructure — the LUGAS central monitoring system, KYC processes — she registered at legal German online casinos. On February 28, 2025, she found the first vulnerability “on the homepage in the browser console” of a Merkur Group casino site.
The technical failure was nearly identical to the CDU incident: an unsecured GraphQL API in The Mill Adventure’s B2B platform, with no authentication or authorization controls. GraphQL’s self-documenting nature meant the full database schema — query names like users, sessions, paymentOptionsV2 — was exposed to anyone who looked.
“It didn’t take long before I had the providers’ API in my hands. I tried out a few potential queries and always had more data in my hand than I should have had.”
— Lilith Wittmann, to Heise Online
The scale dwarfed the CDU breach. The exposed data totaled approximately 200 GB across 800,000 to over 1 million player records: full names, postal addresses, email addresses, gaming histories, transaction records, risk assessments for gambling addiction, and — most alarmingly — 70,000+ identity verification documents (passport and ID card scans, selfies, address proofs) from KYC provider SumSub. Payment data spanned seven providers: roughly 104,000 Trustly records (IBANs and names), 120,900 PayPal records (emails and addresses), 128,965 Adyen records (including card details), plus Paysafecard, Skrill, and others. Beyond exfiltration, Wittmann discovered she could initiate financial transactions — deposits and withdrawals — on any user account via a publicly reachable payment service URL.
The affected brands were Merkur Group’s German online casinos: Slotmagie.de, Crazybuzzer.de, and Merkurbets.de, all operated through Malta-based subsidiaries and powered by The Mill Adventure, a Malta-registered B2B platform provider holding an MGA license (MGA/B2B/866/2021) and claiming ISO 27001 certification. Wittmann reported to the GGL the same day she discovered the flaw. The GGL secured forensic evidence, then notified Merkur. Wittmann published her findings on Medium on March 14, 2025. The GGL issued a public reprimand on March 17 against The Mill Adventure, Cashpoint Malta, and Solis Ortus Service for failing to conduct legally required annual penetration testing.
Then something unexpected happened. On March 21, Wittmann reported that The Mill Adventure had “pulled the plug” on unregulated operators using its software. Over a dozen illegal casinos in Germany went offline. The Mill Adventure had been simultaneously powering licensed German brands and unlicensed offshore operations — a fact its own platform architecture made possible.
“Research into illegal casinos works. We can take away casinos’ platforms, which, in contrast to the network blocks demanded by the GGL, actually works.”
— Lilith Wittmann
Merkur’s response was notably different from the CDU’s. The company characterized Wittmann positively as an “ethical hacker” rather than a criminal, expressed hope she would return or delete the data, and filed no criminal complaint. But its public statements downplayed the severity — claiming the vulnerability required “a particularly high level of technical expertise and bypassing of various security measures,” a characterization Wittmann’s own account directly contradicts. Meanwhile, notifications to affected players were criticized by German law firms as incomplete, omitting payment data, video identification photos, and gambling addiction risk assessments from the disclosure.
“They didn’t give a damn about the security of players’ data. We’re not talking about a few accidentally left open security gaps here.”
— Lilith Wittmann, to Heise Online
Act III: The Malta Gaming Authority (March 17–20, 2026)
On March 17, 2026, the MGA published a statement on mga.org.mt titled “Statement on the Identification of a System Breach,” confirming unauthorized access and noting that “initial indications suggest that the activity may be attributable to an individual presenting themselves as a security researcher.” The statement activated “internal response protocols” but disclosed nothing about which systems were affected or what data was compromised.
Three days later, on March 20, Wittmann claimed responsibility simultaneously on X and LinkedIn, posting alongside a screenshot of the MGA’s own announcement:
“Dear Malta Gaming Authority, Yes, I hacked you, and the data obtained has been shared with media partners, authorities… And yes, we will expose the organised crime enablement schemes you created while presenting yourselves as a ‘legitimate public service’.”
— Lilith Wittmann, on X (March 20, 2026)
She warned: “I hope the German authorities are, for once, smart and do not extradite me to Malta, where I would face up to 10 years imprisonment for hacking a public service. Any police action from Malta would also trigger the immediate release of my entire archive of iGaming-related data.“
That final sentence functions as a dead man’s switch — and the phrase “entire archive of iGaming-related data” suggests she holds material beyond the MGA breach itself, likely including the 200 GB from the Merkur/Mill Adventure investigation. She told Newsbook.com.mt the breach had been “as easy as hacking the CDU.”
“I am certain that the information obtained is so valuable for the public discourse that obtaining it will one day, in the not-too-distant future, be seen as a justified necessity.”
— Lilith Wittmann, to Newsbook.com.mt
The MGA’s follow-up statement on March 20 condemned “any unauthorised access to its systems” as “unacceptable and incompatible with lawful engagement with public institutions,” called Wittmann’s organized crime claims “unsubstantiated,” and asserted it operates within a “robust legal and regulatory framework” with “integrity, independence and accountability.” LinkedIn removed Wittmann’s original post for an unspecified policy violation. Her posts on X remain live.
Wittmann has not identified which media partners or authorities received the data. She closed: “As of today, I do not have anything else to share about the upcoming releases concerning the organised crime networks supported by countries like Malta. Therefore, please refrain from inquiries until further notice.”
Why MGA data is more dangerous than any operator breach
The MGA breach is unprecedented — no other major gambling regulator has been publicly hacked. And the data a regulator holds is exponentially more sensitive than what sits inside any single operator’s systems.
A regulator like the MGA maintains beneficial ownership records for all 304+ licensees, including directors, shareholders, and ultimate beneficial owners who passed fit-and-proper checks. It holds AML/KYC audit results showing which operators had compliance failures. It stores enforcement correspondence and investigation files — records of every investigation, warning, fine, or license action, including details about suspected criminal activity. It maintains player complaint files, self-exclusion registries containing names and personal data of vulnerable problem gamblers, financial reporting from operators including revenue figures and tax contributions, and license application files containing business plans, marketing strategies, financial projections, personnel backgrounds, and source-of-funds documentation.
This data provides a comprehensive map of the entire regulated gambling ecosystem. If Wittmann’s claims about organized crime enablement are even partially substantiated by what she found, the consequences for MGA-licensed operators — and the players who use them — could be transformative. The question is whether the MGA’s history makes her claims plausible.
The answer, based on the documented record, is unambiguously yes.
Malta’s documented history of organized crime in gambling
The MGA’s “gold standard” reputation collides with a long, specific, and well-documented record of organized crime infiltration of its licensees — a record the regulator has repeatedly failed to address proactively. Gambling-linked money laundering operations are not unique to Malta, but Malta’s combination of regulatory weakness and industry scale makes it the most consequential case in iGaming.
| Year | Operation / Event | What Was Found | MGA’s Role / Response |
|---|---|---|---|
| 2015 | BetUniq License Revocations | 9 companies revoked — BetUniq CEO described as the ‘Ndrangheta “point man” in Malta | REACTIVE Revoked only after Italian investigations exposed the links |
| 2017 | Operation Beta | 30 arrested — Sicilian Mafia clan Santapaola-Ercolano laundering money through Maltese gambling companies | SILENT No public MGA enforcement action documented |
| 2017 | Malta Files | 150,000+ leaked documents analyzed by 47 journalists across 16 countries — Malta exposed as “pirate base” for financial crime | INDIRECT MGA not directly implicated but regulatory environment widely questioned |
| 2017 | Caruana Galizia Assassination | Investigative journalist killed by car bomb — alleged mastermind Yorgen Fenech was a gambling entrepreneur and one of Malta’s richest | CONNECTED Middleman Theuma ran underground lottery ring controlling 30% of market |
| 2018 | Operation Game Over | 26 arrest warrants — Benedetto Bacci (“king of gambling”) earned €16M/month through Palermo Cosa Nostra via Maltese gaming licenses | LICENSED Phoenix International operated under MGA license |
| 2018 | Operation Galassia | 68–70 arrests, €1B+ seized across 12 countries — Cosa Nostra, ‘Ndrangheta, Sacra Corona Unita sharing €4.5B in bets via Malta-based entities | SHIELDED SKS365 under MGA license; Maltese court denied extradition of key figure |
| 2012–14 | Leaked MGA Internal Emails | Internal correspondence revealed MGA “failed to abide by its own rules” — lax supervision enabled money laundering with inadequate oversight | DIRECT FAILURE Evidence of systemic regulatory negligence |
| 2021 | MGA Insider Corruption | CTO Jason Farrugia dismissed for misusing sensitive data; Compliance officer Iosif Galea faces money laundering and tax evasion charges | OBSTRUCTED European Arrest Warrant for Galea ignored by Maltese police |
| 2021 | FATF Grey-Listing | First EU member state ever placed under increased monitoring — money laundering investigations found to be “not a priority” | SYSTEMIC Gaming sector vulnerability cited as core factor in assessment |
Leaked MGA internal emails from 2012–2014 revealed the regulator had failed to abide by its own rules, with lax supervision enabling conditions where money laundering occurred with inadequate oversight. A former MGA compliance officer, Iosif Galea, faces money laundering and tax evasion charges after receiving sensitive insider information from the regulator and passing it to “interested parties.” Despite a European Arrest Warrant issued by German police — and three reminders — Malta’s police ignored the warrant. Galea was eventually arrested by Italian authorities while on holiday. He had traveled abroad with disgraced former Prime Minister Joseph Muscat. The MGA’s own Chief Technology Officer, Jason Farrugia, was dismissed in 2021 for misusing sensitive internal data.
The threads connect to Malta’s darkest chapter. The middleman who contracted the killing of journalist Daphne Caruana Galizia, Melvin Theuma, was connected to an underground lottery ring that controlled approximately 30% of Malta’s legitimate lottery market.
Against this backdrop, Wittmann’s claim that MGA data reveals “organised crime enablement schemes” is not extraordinary. It would be extraordinary if it didn’t.
The accountability gap reveals the real pattern
The most important story is not any single breach. It is the escalating pattern of institutional response — each target choosing suppression over accountability, in increasingly aggressive ways. The regulatory gaps that plague the gambling industry are not limited to crypto — they extend to the fundamental question of who holds regulators themselves accountable.
This progression — from clumsy retaliation to professional damage control to institutional suppression — mirrors what cybersecurity researchers face globally when they target powerful organizations rather than consumer tech companies. Google pays up to $250,000 for critical vulnerability reports through Project Zero. Microsoft has paid out more than $60 million to security researchers. Apple offers bounties up to $2 million for the most critical iOS vulnerabilities. These companies have concluded, after years of fighting researchers, that cooperation is cheaper and safer than litigation.
Malta has drawn the opposite conclusion.
- NIS2 Directive encourages non-prosecution of security researchers
- Cyber Resilience Act encourages civil liability exemption
- Belgium adopted comprehensive safe harbor (Feb 2023)
- Netherlands has had non-prosecution framework since 2013
- Germany actively reforming its computer crime statute
- No safe harbor provisions for ethical hackers
- No coordinated vulnerability disclosure framework
- Maximum 10 years imprisonment for hacking public service
- Three students arrested, strip-searched for reporting a bug (2022)
- 43% decrease in Maltese bug bounty participation post-arrests
In October 2022, three University of Malta computer science students were arrested, strip-searched, and criminally charged after responsibly disclosing security vulnerabilities in FreeHour, a student scheduling app. Two developed diagnosed PTSD. Their devices were seized for 28 months. The case produced a 43% decrease in Maltese bug bounty program participation and caused two cybersecurity startups to relocate from Malta. The students eventually received a Presidential Pardon in July 2025 — but only after Prime Minister Robert Abela acknowledged the law “had not caught up to modern technological standards.”
iGaming’s cybersecurity vacuum extends far beyond Wittmann
The gambling industry’s security failures are structural, not incidental. The Mill Adventure breach was not an anomaly — it was representative of an industry that stores financial-services-grade data while spending a fraction of what financial institutions invest in security. The growing timeline of casino data breaches paints a damning picture of an industry-wide cybersecurity crisis.
In September 2023, the Scattered Spider hacking group used a 10-minute social engineering phone call to cripple MGM Resorts’ entire operation, causing over $100 million in losses. Days earlier, Caesars Entertainment paid a $15 million Bitcoin ransom after a similar attack. In November 2022, Joseph Garrison, an 18-year-old from Wisconsin, used credential stuffing to compromise 60,000 DraftKings accounts and steal approximately $600,000 — he later bragged in messages that “fraud is fun.” In November 2024, International Game Technology detected unauthorized access and took systems offline. In 2025–2026, ShinyHunters sat inside Wynn Resorts’ Oracle PeopleSoft system for five months before going public, reportedly exposing 800,000+ records.
The MGA requires its licensees to meet information security standards benchmarked to ISO 27001 and undergo system audits by accredited auditors. Yet The Mill Adventure claimed ISO 27001 certification while operating a completely unsecured GraphQL API. The GGL found that The Mill Adventure, Cashpoint Malta, and Solis Ortus Service had all failed to conduct legally required annual penetration testing. The regulator that mandated these standards from licensees apparently failed to secure its own systems — Wittmann’s description of the MGA breach as “as easy as hacking the CDU” implies elementary security failures, not sophisticated exploits.
B2B platform providers like The Mill Adventure create concentrated, systemic risk. When a single platform powers multiple operator brands, one vulnerability cascades across the entire ecosystem. The industry’s core tension — speed-to-market versus security, regulatory arbitrage versus robust compliance — remains unresolved. As Kyte Global noted: “The distinction between a neobank and a major sports betting operator is increasingly semantic. Both hold millions in user deposits and manage databases enriched with sensitive PII and KYC documents.” The difference is that banks face meaningful consequences for security failures. Casinos largely do not.
The Germany-Malta axis connects everything
Wittmann’s three gambling-sector interventions trace a geographic thread that leads from German players to Maltese infrastructure and back. She is German. Her Merkur targets were German-facing casino brands. Those brands ran on The Mill Adventure’s Malta-based platform. Now she has breached the Maltese regulator overseeing the entire chain. This is not coincidence — it is systematic escalation up the infrastructure stack, from operator to platform provider to regulator.
The connection matters because Germany’s online gambling market is ground zero for the conflict between national regulation and Malta-based operators. Under the Interstate Gambling Treaty (GlüStV 2021), operators need specific GGL licenses to serve German players. An MGA license grants no automatic access. Yet the GGL’s own reporting identifies 212 operators illegally targeting German players through 858 German-language gambling websites, with Malta the only EU member state specifically named as a source jurisdiction. The scale of Germany’s online gambling black market makes this regulatory conflict existential. The channelization rate — the share of gambling going to licensed operators — is fiercely disputed: the GGL’s commissioned study claims 77%, while industry associations cite figures closer to 50% and estimate black market share for online casinos at up to 80%. As our analysis of Europe’s offshore gambling crisis documented, Germany’s black market problem is symptomatic of a continent-wide disease, with Malta at its center.
Licensed German operators face a €1-per-spin maximum stake with 5-second intervals, monthly deposit limits of €1,000 across all platforms, and effective RTPs of approximately 88.5% due to a 5.03% stake tax. Unlicensed MGA-licensed operators offer RTPs above 95% with no stake or deposit limits. The incentive structure practically drives players offshore. The Czech Republic’s own black market challenges reflect the same dynamic playing out across Europe.
Malta has responded to cross-border enforcement efforts with Bill 55 (Article 56A), passed in June 2023, which shields MGA-licensed operators from foreign court judgments — effectively blocking German players from recovering losses through litigation. The GGL has called Bill 55 “incompatible with European requirements,” and the European Commission has opened formal infringement proceedings against Malta. The CJEU is expected to rule on the matter in cases involving Tipico (Germany’s largest sports betting operator) and Lottoland.
If Wittmann’s MGA data reveals which licensees are serving German consumers without GGL authorization — or worse, which have organized crime connections — the material could be explosive in ongoing European court proceedings and the GGL’s 2026 review of the entire regulatory framework.
What happens next depends on Germany, not Malta
The immediate question is whether Germany would extradite Wittmann to Malta. Under the European Arrest Warrant framework, this is technically possible — computer crime falls within the 32 listed offense categories, and Malta’s penalties exceed the one-year minimum threshold. There is no nationality exception.
But practically, extradition is extremely unlikely. Germany is actively reforming its computer crime laws to protect security researchers. NIS2 encourages non-prosecution. The proportionality principle in EAW execution would likely apply. There is no known precedent for an EU member state extraditing a security researcher for ethical hacking. And Wittmann’s dead man’s switch — the threatened release of her “entire archive of iGaming-related data” — creates a deterrent that any competent legal advisor would counsel Malta to take seriously.
The more consequential question is what Wittmann’s unnamed “media partners” publish. The Daphne Project — the consortium of 45 journalists created after Caruana Galizia’s murder — previously produced the definitive OCCRP investigation on “How Maltese Online Gambling Became an ATM for the Italian Mafia.” Investigate Europe’s “Shady Bets” series, published in partnership with The Guardian, Público, and La Libre, has covered related territory. No media organization has confirmed working with Wittmann’s data, but the infrastructure for responsible publication of such material exists and has been used before.
Wittmann’s statement that she will expose “organised crime networks supported by countries like Malta” — plural, “countries” — suggests her ambitions extend beyond the MGA. Her closing request to “refrain from inquiries until further notice” indicates a coordinated release timeline. Her claim that the data was shared with “authorities” raises the question of which regulatory or law enforcement bodies now possess material from the MGA’s internal systems.
What this means for anyone betting at MGA-licensed casinos
PLAYER ALERT
If you play at an MGA-licensed casino, the regulator that certified your operator’s fitness holds your complaint history, any self-exclusion records, and oversight data about whether your operator is actually complying with anti-money-laundering requirements. That regulator’s systems were breached by someone who found it trivially easy. The MGA has not disclosed what data was compromised or taken any visible steps to notify affected entities beyond its initial statement.
The trade press is largely missing this story. Of nine major iGaming outlets examined, only NEXT.io and iGamingToday provided substantive coverage of the MGA breach. SBC News covered the CJEU/Tipico ruling on the same day but not the breach itself. iGaming Business, Casino.org, GamblingInsider, CalvinAyre, Yogonet, and Legal Sports Report had no coverage as of March 21. No mainstream international outlet has touched it. German media — Heise, Netzpolitik, Spiegel — who covered Wittmann extensively in 2021, have not yet reported on the MGA breach.
Most critically, no outlet is connecting the breach to the MGA’s organized crime history. The coverage treats this as an isolated cybersecurity incident rather than the latest chapter in a decades-long story about a regulator that has repeatedly failed to prevent organized crime from exploiting its licensees. The missing analysis is obvious: what could the breached data reveal about ongoing criminal infiltration that the MGA either missed or tolerated?
If Wittmann is telling the truth about the data’s contents, it could reveal whether the operator you trust was properly vetted — or whether it shares ownership structures with entities the Italian anti-mafia directorate has been investigating for years.
The MGA’s credibility is not an abstract governance question. It is the foundation on which €1.386 billion in economic activity, 14,000 jobs, and the trust of millions of players worldwide currently rests. Lilith Wittmann has found that foundation to be made of the same material she has encountered at every target: an unlocked door, an institution more interested in prosecuting the person who found it than in fixing the lock, and a pattern of accountability that begins and ends with the word “unsubstantiated.”
The data, if it arrives, will either vindicate the MGA’s claim of integrity or confirm what Italian prosecutors, FATF evaluators, investigative journalists, and now a 30-year-old hacker from Berlin have been saying for a decade. For anyone placing bets at MGA-licensed casinos, that distinction is no longer theoretical. It is the most important open question in online gambling regulation today.
KEY TAKEAWAYS
- Three breaches, one pattern — Wittmann breached the CDU (2021), Merkur/Mill Adventure (2025), and the Malta Gaming Authority (2026), each time finding elementary security failures
- Unprecedented regulator hack — The MGA breach is the first time a major gambling regulator has been publicly hacked, exposing data far more sensitive than any single operator breach
- Organized crime claims — Wittmann says the MGA data proves “organised crime enablement schemes,” a claim made plausible by Malta’s documented history of mafia infiltration in gambling
- Dead man’s switch — Any police action from Malta triggers the release of Wittmann’s entire iGaming data archive, including the 200 GB from the Mill Adventure breach
- Industry-wide crisis — The gambling industry stores financial-services-grade data with a fraction of the security investment, making breaches structural rather than incidental
- Germany-Malta axis — Wittmann systematically escalated from German-facing operators to their Maltese platform provider to the Maltese regulator itself
- EU vs Malta — While the EU moves toward protecting security researchers, Malta has no safe harbor and punishes ethical hackers with up to 10 years imprisonment
Sources
- Statement on the Identification of a System Breach — Malta Gaming Authority (March 17, 2026)
- Statement on Recent Claims of Unauthorised Access — Malta Gaming Authority (March 20, 2026)
- Lilith Wittmann’s Medium Blog — Primary disclosure platform for Merkur/Mill Adventure findings
- Gemeinsame Glücksspielbehörde der Länder (GGL) — German gambling regulatory authority
- Malta — FATF Country Detail — Financial Action Task Force mutual evaluation and grey-listing records
- NIS2 Directive (2022/2555) — European Parliament and Council directive on cybersecurity
- Cyber Resilience Act (2024/2847) — EU regulation on horizontal cybersecurity requirements
- Organized Crime and Corruption Reporting Project (OCCRP) — Investigation: “How Maltese Online Gambling Became an ATM for the Italian Mafia”
