Cybersecurity expert Lilith Wittmann has discovered a critical flaw in Merkur’s GraphQL interface, exposing the data of 800,000 players. This vulnerability allowed illegal casinos in Germany to exploit insecure software supplied by The Mill Adventure. After alerting the company, Wittmann found that it had cut off access to unregulated platforms, leading to the sudden closure of at least 12 gaming sites. This action demonstrates the direct impact of an intervention on the technical infrastructure rather than on the operators themselves. The Mill Adventure has acknowledged the breach and strengthened its security, while Wittmann is continuing its investigations into the online gaming sector.
An ethical hacker has claimed that more than 12 illegal casinos in Germany have been shut down. The software provider allegedly cut off access to its platform. As a result, these online casinos suddenly went offline.
The action comes after months of investigation by Lilith Wittmann. She discovered a serious security problem at German gambling giant Merkur. The cause? A vulnerable GraphQL interface without proper access control. This allowed unauthorised access to sensitive player data.
Wittmann states that this leak may have affected 800,000 users. And that’s not nothing.
Unlicensed casinos operated with leaked software
According to Wittmann, the affected gambling sites were running software from The Mill Adventure, a Malta-based company. That software turned out to be vulnerable. Some casinos working with this system were also not on the official white list of regulator GGL.
On Friday 21 March, Wittmann wrote on LinkedIn that The Mill Adventure took action following her findings. She reportedly contacted several providers directly.
‘I have become so close with them that they are now covering their tracks.’
Then, according to her, the company pulled the plug on cooperating with unregulated parties. Since then, several illegal casinos have been offline.
Wittmann explains why software vendors should be more heavily targeted
Wittmann believes it is better to crack down on software vendors than to try to block IP addresses. The latter often works poorly. By tackling the technical infrastructure, you attack the problem directly at the source.
According to her, the impact now is far greater than through traditional enforcement.
‘This investigation has put pressure on everyone involved in illegal gambling. And that pressure is working.’
The Mill Adventure responds to the allegations
The company itself said it has no control over what outside parties do with their software. They provide technology, but are not responsible for users’ behaviour.
A spokesperson stated that The Mill Software Ltd has no control over the content or offerings of the casinos. That responsibility lies with the operators themselves.
Nevertheless, the company did admit that there was a serious leak. German regulator GGL had sent an official warning on 14 March. Three days later, they said, the problem had been resolved.
Cybersecurity becomes top priority after incident
The Mill Adventure said in a statement that this incident was unprecedented. They took immediate action, worked with specialists and promised to further strengthen their security.
According to the company, protecting user data remains a top priority.
Meanwhile, Merkur has stated that they do not consider Wittmann a criminal, but an ethical hacker. She is trying to make vulnerabilities visible, not exploit them.
Wittmann indicates that her work is not yet finished. This research is only the beginning of a series. She is focusing entirely on the world of online gambling.