It appears that all of the vendors' public keychains are currently the same as DHL's public keychain. I just placed an order with a vendor then caught my mistake. I recommend holding off on ordering unless you are sure of your vendor's public keychain.
DHL busted, private key handed to the feds, they take over site and are now collecting addresses. RIP