They also copied the nostr addresses of their original users, right?

So simply validating that could solve the problem