I don't see how it could be solved without introducing deanonymization / KYC; a new npub could be generated for the spoofing, after all.