itch.io

Asking people to verify their account by paying some kind of fee, that might even be refunded, would work to some extent.

It would work a lot less effective, if you use user level verification to verify developer accounts. For one, the hackers have access to hacked accounts that will have made purchase. So rich hunting grounds to just grab pre-verified accounts. A special transaction would be better. But if there is no grace period for fraudulent transaction, yes, they can easily invent fake people to pay for with stolen credentials. They already fake email adresses in bulk. Using a list of stolen credentials that might work for a few weeks is not that difficult. They are not after the money itself from those cards, they just need it to hold long enough to put up a fake account with a shelf life of a few weeks. Also, the verified account check mark might lull users into installing the malware and ignoring any warning messages. So higher effectivness that justifies putting more effort into faking the page plus verification.

2fa for a verified account is as easily broken as for a non verified account. Get your session cookie stolen and your account is compromised for uploading malware. An easy countermeasure would be to ask for the 2fa token when uploading or updating a project. I do not know if Itch has such a thing, I assume not. You have several projects and probably 2fa. Were you ever asked for your 2fa for doing a thing that a hacker might do? Like exchanging files against virus infected files?

I do not know how Itch currently verifies developers. They can do it, and there are accounts with a verfied checkmark. For example, Hempuli is verified. You will find more here https://itch.io/games/top-rated