Nothing I guess? Except that they will continue to be vetted after being hired for the quality of their work.

just spitballing but even if someone has a remote computer after getting hired, and is onboarded they should not have access to sensitive systems. So while you can't completely prevent the possibility of hiring a malicious actor security should not simply be on/off. The register article mentioned how after these devs were hired they were immediately able to kick off their plans. I think security is not structured properly if that is the case.

It's hard. I mentioned in another comment I had a work colleague in 2006 who farmed out all his work. He was capable of doing the job, but it was simply more enjoyable for him to play video games all day while someone else did the work for 25% of his salary.

The thing I'm always curious about with this is: What is the actual bad thing happening here?

Is the subcontracted work not good enough? Well, then the problem is that the work is not good enough.

Is the person not contributing in other ways that you want them to contribute because they have other jobs? (eg. chat conversations, meetings, team building, etc.) Well, then the problem is that they aren't making those contributions.

Or is it just that you're paying them more than you would have to pay the subcontractors if you found and managed them yourself? Well, then you are totally free to skip the middleman and do that yourself. But there is, actually, value in finding and managing freelance work. I certainly don't want to do that myself! If someone is good at doing that, and the quality of the work they are managing is acceptable to me, then it seems like they might be earning their paycheck?

I do get that the dishonesty element is bad in and of itself, but I honestly wonder whether, if this is a problem a firm is having, they should consider hiring the work out to subcontractors, without any subterfuge.