Malta Gaming Authority Breached by Security Researcher Claiming Corruption
Learn More
The Malta Gaming Authority (MGA), the primary gambling regulator for Malta, confirmed a system breach on March 17, 2026.
German security researcher Lilith Wittmann claimed responsibility for the unauthorized access in social media posts on March 20, 2026. Wittmann alleges the breach was intended to expose material linking the regulator to organized crime within the Maltese gambling sector. The MGA is treating the event as a serious security incident and has initiated a full investigation into the scope of the compromise.
The exact vector of attack for this MGA incident is not disclosed but Wittmann has a documented history of exploiting unsecured APIs and GraphQL queries to exfiltrate sensitive data from gaming entities, as seen in her previous work involving German operators.
The compromised data includes:
- Operator compliance files
- Player records
- Internal regulatory documents
- Material allegedly linking the regulator to organized crime
The number of affected individuals is not disclosed.
The MGA activated internal response protocols and implemented containment measures to stop further unauthorized activity. The authority is working with technical teams and law enforcement to assess the full scope of the data exfiltration. The MGA issued a formal statement condemning the breach, labeling the researcher's conduct as unacceptable and incompatible with lawful engagement and established governance frameworks.
This incident follows a 2025 breach where Wittmann exposed 800,000 player accounts at Merkur Gaming by exploiting an unsecured API endpoint.
