Uh, didn't know that bolded part. Still, is it what actually happens or is that a guess?
From GOG's FAQ:
"There are some restrictions for purchasing gifts on new accounts, depending on the payment method used. For credit/debit and PayPal purchases, you need to have at least $10 (or its equivalent in your selected currency) worth of purchases made at least 3 months ago. Alternative payment methods, such as paysafecard, are not affected by these restrictions."
I'm thinking it doesn't make much sense. Suppose a hacker does get in someone's account and makes such a purchase. First of all, as soon as GOG receives notice of a hacked account it would be trivial to invalidate all its purchases. Keys go expired in a second. And seeing as its merchandise is all digital there's not even the possibility it'll be "[in transit | already delivered]" and thus out of GOG's reach.
So we have to assume these hackers can only provide short-lived or already expired keys; and not just we but all those stores must assume it as well. Why would they buy them in that case? If they're being fooled that will only happen once, and if they're knowingly selling dirty keys they might as well not buy anything and just generate a code that resembles a GOG key themselves.
Resellers like G2A don't care where the keys come from. They don't buy them from seller, but are a market place instead. You can directly sell your keys there and they only get a certain percentage of the money for providing the platform.
And most people whose credit card data is stolen don't recognize it right away. The criminals normally have some weeks before the keys get invalidated. It's more than enough time to sell them and get away with the money. When a reseller gets reports about fraud and bans the account, they simply create a new one and continue the same way.