a) it's not about having his game in a bundle.
Let's say that I offer you that I sell you a game for 20$ (original price), for 10$ (reduced price) or 1$ (humble bundle price).
And you decide that you buy the game for 10$.
Then I would get 10$ of income from you. Now if you don't buy it from me, but from a third party which gave 1$ to me for it, then I still have a missed income of 9$ which this particular customer was willing to pay.
That's why I'd say that taking the price G2A sold the game for is a better margin to calculate losses than the bare minimum price he ever sold the game for.
b) Even if it's his own online shop (which it wasn't. It's was from a distribution partner), that really doesn't mean he does everything by himself. He is not a bank. Even big comapnies with "own" shops still use a third parties to handle the payments, especially for countries like germany which have DD system which come with a huge additional mess. Of course I can't tell what he was using and how much effort it would be for him. But while I agree that it "should" be easy to filter out the accounts, I can also see how that's not necessarily the case if the system was not build around uncovering fraud. It might just give out a key coming from a certain batch without documenting which key it was, or storing it in a way that it becomes easily accessable. While we in Germany are confronted with chargebacks all day, that's not insanely common in the US for example.
Also the keys were not directly bought from his store but over another party. So let's say you provive a batch of 100 keys to Partner B and this partner then sells the key to customers. But not all of them. They also sell 50 of the keys to company C, which is a keyseller. And they now sell the keys for less, either because they were alble to cut some conditions A had with B or because the keys were not already paid via B in the first place or anything similar. Anyhow. You only know which keys you gave to B in this case. You could of course ban all of them but would also affect some legit customers. But if C bought keys with chargebacks from B for example, it's already becoming a pain in the ass for the developer.
At some point it becomes mostly impossible to track. Of course it should be possible to determine from which batch a certain key is coming. But all the publisher can say is where it went to in the first place and not where it went after that.