Which would take hours and hours to do, totally outside of the realm of possibility /me rolls eyes. Computers are extremely good at doing things automatically. I highly doubt you know how to code anything and therefor your claim that this would be incredibly difficult or challenging is likely directly delivered from your ass. When it comes to computers, thousands is not a big number. Nothing needs to be updated on a regular basis. It wouldn't be hard to do this attack if you have control of the server. It would be hard to do it consistently and get away with it if anybody checks for it though, so long as we have anonymity. It would be hard to detect if it is only done occasionally though. If they did it with just one vendor at a time it would be absolutely positively trivial to implement and wouldn't need any code at all, a human could do it against a single vendor provided that they have access to the server. They just need to change the vendors public GPG key for a while, then switch it back, then intercept all communications to the vendor and try to decrypt them with the key they put out there for a while. Absolutely trivial. That proposed method will be detected in no time, and would raise all kinds of red flags to any intelligent buyer. The sort of attacker the OP mentioned is widely recognized, it is called a man in the middle attack, it can be automated and carried out on a massive level, and it is irritating to see people calling him a dumbass when they are obviously the ones who don't know what they are talking about.