Yes, this is by design (and mentioned every few months in the forum). Perhaps we should create a help article explaining this.
When you allow offline activations limit the number of deactivations (or dont allow deactivations at all). And if you do allow deactivations ensure that at least X days has past (the expiration date of the activation response file)
Or make it a requirement that every user reverifies after Y days.
In other words this problem is prevented on your side of things and how you issue activations, deactivations, etc.