That's still one named person the police can go after, a good starting point for investigation into the criminal network.

Also, that's still one named person that no one would like to end up being, so that alone acts as a deterrent.

On open source projects you can vet people based on whether you can personally identify them as real people. Moving forward be suspicious of anonymity for core contributions.

Debian does things that way, their developers have to get their key signed by other developers, and a DD who signs someone's key is supposed to check ID. But there's no similar protection for their upstream.

And using a freaking VPN for everything. Definitely more vetting is needed.