Just FYI, krygorin4545@proton.me (the latest message before the upload) was created Tue Mar 26 18:30:02 UTC 2024, about an hour earlier than the message was posted.
Proton generates PGP key upon creating the account, with the real datetime of the key (but the key does not include the timezone).
That account seems to be a contributor for xz though, you can see him interact a lot with the author of the backdoor on the GitHub repo. Some pull requests seem to be just the two of them discussing and merging stuff (which is normal but looks weird in this context)
Even if they have a "real" picture or a credible description that is not good enough. Instead of using an anime character a malicious actor could use an image generator [0], they could generate a few images, obtain something credible to most folks, and use that to get a few fake identities going. Sadly, trusting people to be the real thing and not a fake identity on the Internet is difficult now and it will get worse.
You can quite easily generate a realistic photo, bio, even entire personal blogs and GitHub projects, using generative AI, to make it look like it's a real person.
