It might not come easy, it is probable that the attacker is using stolen personal identifications.
Yup, this is how they cover their tracks, and i have to say i have been stupid enough to give my kyc for some shady projects and i think it's just a matter of time until they are used in some sort of scam. Luckily for me so has so many else so they have ton if IDs to use before mine.
If you are sending your identification to an unregulated and unknown project, then it is safe to say that they pooled users' data and might probably sell it over the black market, or even to anyone who wants to buy it. There is no certainty on what position the data would be used, it could be random or finding based on some criteria.
If I'm not mistaken, I saw a tweet that marked CZ from the victim's statement who actually lost his funds in his Binance account when making a deposit with an address that automatically changed to the thief's address. Unfortunately I can no longer find the tweet.
That is unrelated, this is way more on a back-end job from Binance rather than the user.