I think one of the easiest way is to buy a domain name, create a project pages and links to your real github profile and projects you've participated on. It's harder to spoof domain name.
Anyone else just need to do some due diligence. You don't trust random pages on Facebook, so why should you trust Github profiles either? And I'm not saying to trust your project page, but it's way easier to verify that way. And that's why I like when open source projects have their own website.
I think one of the easiest way is to buy a domain name, create a project pages and links to your real github profile and projects you've participated on. It's harder to spoof domain name.
Anyone else just need to do some due diligence. You don't trust random pages on Facebook, so why should you trust Github profiles either? And I'm not saying to trust your project page, but it's way easier to verify that way. And that's why I like when open source projects have their own website.
Probably the easiest solution to this problem would be—don't use GitHub.
What good would using other repository services do in this case when someone can still just rip the repo?
Be less of an attack vector.
How did you find the fraudster?
A longtime collaborator emailed me directly to point me to the fake profile. I found the other fake profiles just by fiddling with the last character.