Once information stolen its easy to produce a digital fake ID with the info thats sold on the dark web and used everywhere. Private KYC collecting merchants rarely have the ability to authenticate the full gamet of valid types of government IDs.
Contrary to incredibly popular belief (at least in the US), asking for a photo of somebody's ID is actually not a sane way to do KYC. The point of an identity document is to check its security elements in person and compare the photo to the person standing in front of you. (Part of this can be replicated by doing a live video call, but that window is quickly closing due to deepfakes.)
Yet countless times in the past years, US and a few other companies have asked me to "identify myself" by sending them a scan of my goverment ID via chat/email/web form attachment, with absolutely no liveness check. This is just insane.