Updated 8.53pm with MGA response

An IT security researcher who last year exploited weaknesses in software provided by a Maltese company servicing online casinos has claimed responsibility for a recent system breach at the Malta Gaming Authority (MGA).

Writing on X alongside a screenshot of the MGA website announcement of the breach, Germany-based security expert Lilith Wittmann said, “Yes, I hacked you, and the data obtained has been shared with media partners, authorities”.

“And yes, we will expose the organised crime enablement schemes you created while presenting yourselves as a ‘legitimate public service’”, she wrote.

Wittmann’s post follows an MGA announcement earlier this week that its computer systems had been breached by someone it said had “presented” as a security researcher.

The regulator had said it was treating the incident with the “utmost seriousness”, while not providing information on which systems were breached or whether any sensitive information had been compromised.

Commenting underneath the post, Wittmann, a member of “Europe’s largest hackers’ association”, the Chaos Computer Club, said she hoped that German authorities “are for once, smart and do not extradite me to Malta, where I would face up to 10 years’ imprisonment for hacking a public service”.

“I am certain that the information obtained is so valuable for the public discourse that obtaining it will one day, in the not-too-distant future, be seen as a justified necessity.”

She added that hacking the MGA had been as “easy as hacking the CDU”, in reference to Germany’s Christian Democratic Union political party.

Responding to Wittmann’s comments, the MGA said the allegations were “unsubstantiated” as it condemned “any unauthorised access to its systems and any extraction, handling or dissemination of data obtained through such activity”. 

“While the individual has sought to frame their actions as a form of ethical hacking, the MGA notes that the activity did not involve any recognised or good faith disclosure to the Authority.”

A spokesperson for the authority said the incident was “unacceptable and incompatible with lawful engagement with public institutions and established governance frameworks.

The MGA insisted it operates within a “robust legal and regulatory framework” and carries out its statutory functions with “integrity, independence and accountability.”

Wittmann landed in hot water in 2021 after exposing a vulnerability in the CDU’s election campaign app, triggering a criminal complaint from the party despite the researcher reporting the vulnerability to authorities in line with responsible disclosure practices.

The case was later dropped following an online backlash.

Closer to home, in March last year, Wittmann accessed sensitive personal information of over a million online casino players after “easily” exploiting weaknesses in software provided by St Julian’s company, The Mill Adventure.

Player names, e-mail addresses, credit card details, postal addresses, casino IDs and session information were among the data exposed by the vulnerability affecting online casinos Slotmagie.de, Crazybuzzer.de and Merkurbets.de.

Questions were sent to the MGA.