Yes some of the keys are legit and by legit I mean they were purchased with stolen credit cards. Devs have often lamented having to deal with this nonsense, its pretty well known in the industry and has been discussed countless times here. G2A is a scummy operation, they are not legitimate in the slightest. There is no free lunch, they are not selling keys below everyone else in the industry legitimately. They are also well known for ignoring complaints and enabling this sort of shit, just throwing their hands up and saying "its a marketplace!" as if that's an answer to anything.
This bullshit will not check out. When they say independent audit firm, they mean some third party they control that probably knows nothing about the industry. And they will absolutely not honor any results, probably using semantic dodging about "proof" as they have done in the past.
If people want to buy keys on G2A then whatever, I don't care how they spend their money but at least know where it's going.
Playing: Wildermyth, Mass Effect Legendary, Returnal
Watching: Deadwood, Dune, Evil