You may want to see if the provider you purchase codes from has a way to report stolen codes. You can find purchased codes listed in your E-junkie Transaction Log.
I see you have "Wait for pending payments..." checked in your Payment Preferences, so we should only process orders after the payment processor has actually completed the buyer's payment. The "ONLY AUTHORIZE..." setting, would require you to manually accept every payment in your payment processor account; however, due to the limitations of what payment processors can do, this will NOT delay our system from processing the order, only delay accepting the actual payment (notice that checking this setting also un-checks the "Wait for pending payments..." setting).
In your PayPal account > Profile > More Options > My Selling Tools > Website preferences, you can set PayPal Account Optional: OFF. This will require buyers to log into their PayPal account to pay you, so we would only email their purchased code to their registered PayPal account email address. This would prevent buyers using a stolen credit card and providing any arbitrary email address they wish during checkout, and buyers using a hacked PayPal account would also need to have access to the actual inbox account of the email address associated with that PayPal account in order to actually receive the code.