They’re literally doing the work. They’re not accused of placing backdoors, they’re not accused of anything aside from the US government running an antiquated sanctions regime, and just doing the work. The US government isnt charging companies with OFAC violations, so there is no reason to care. North Koreans learned how to be a fake Staff Software Engineer and do non-fake things for real RSUs.
Companies shouldnt burden the rest of their employees for social verification, for something that isnt a problem for the company.
That sounds akin to saying a security breach doesn't matter until there are consequences. Not many companies would be comfortable being in the position that they have not verified the identities of employees who have access to payment processing data.
They did verify the identity to the standard required. The employee lied.
Although analogies compare dissimilar things with a common attribute, your analogy relies on saying all employees are security breaches. These are employees competent to work in medium sized all the way to big tech companies as software engineers.
Every company with sensitive data need to consider insider threat risk. Many compliance standards require background checks specifically because employees can lie. My point is simple, it's not as simple as "employee complete tasks? Y/N" but that every employee is a potential liability that businesses need to do risk management according to their role. Remote work makes that more complicated, and requires different controls.
Companies shouldnt burden the rest of their employees for social verification, for something that isnt a problem for the company.