To begin with, Tinybuild was extremely transparent in their claim. The 450k figure is an exgaration, but they make it very clear. Furthermore, they know that 197k was what the total of every key that had sold for on g2a. Now, not every key was stolen. The real problem that exists for this is how g2a responded, which killed any chance I ever have from buying from them.
g2a first claims absolutely no liability for anything that occurred and plainly states no money will be returned. Second, they try to partner with Tinybuild - mind you that this is asking the company to lower the price of its product considerably, not to mention g2a would get a cut of the pie. More importantly, they dance around the problem of stolen keys entirely.
Think about how you'd feel if you were unknowingly an accomplice to a criminal act. Chances are, you would feel used and upset that you harmed others. That's because you know the difference between right and wrong, and you did wrong. A good business should also be morally sound. Yet g2a clearly isn't: Not only do they first focus on stating they weren't involved, they immediately try to sell to the company.
Furthermore, they have not at all tried to make up for their actions or, at the very least, try to ensure it doesn't happen again. Rather, they seem perfectly happy with being involved with credit card fraud. Something doesn't sit right; g2a just doesn't care.
I'll allege further, however, and say that they go beyond not caring, but instead actively encourage illegal goods being sold on their marketplace. There's two things that point to this; the first of which is g2a's storefront. A customer has the option to purchase a guarantee that their product will arrive. This is absolutely absurd for two reasons: 1: it is assumed that their is a risk of being scammed intrinsically; in other words, scammers not only exist on g2a, but g2a makes money from scammers existing. g2a has no motivation to stop scammers whatsoever.
The second reason I believe g2a encourages illegal goods being used on their site is their statement on this whole affair:
"At G2A we believe in being innocent until proven guilty, meaning we believe that all of our 200k merchants are legit until proven otherwise. We support merchants and assume they operate within the law. Of course, unfair “players” appear in any business, which unfortunately includes our system. Nonetheless, G2A does not hold any liability for vulnerabilities in someone’s billing system."
What did they do? First, they said that there is no prevention for a scammer to sell on g2a. Moreover, g2a claims no liability for customers being scammed. They are completely indifferent to having scammers on their system. Given that scammers give them profit, this shouldn't come as a surprise.
Additionally, I want to touch on the fact that g2a claims to work with publishers, they namedrop a few in their statement: "Gaijin, Bitbox, Herocraft, Nekki, Nival." Fun fact: Every publisher they work with deals with free to play games or games with microtransactions. This is an entirely different business model from Tinybuild, and cannot be compared whatsoever, as g2a does not undercut these companies profit.
To take this back to Tinybuild, they have no responsibility to get every single fraudulent key. As long as a single fraudulent key was sold on g2a, there is a problem.
The fact is, g2a doesn't care about the presence of scammers. They do not care about doing the right thing, and are not taking any action to protect their customers. This is an awful business, and I suggest you should never buy from them again.