They could do that, but you'd be able to see that nobody/few outside their cluster signed any of their keys.

Let's say they have fake passports and physically appear at key signing parties. Now you're screwed because even your peers (that you thought know how to validate identities using passports) will get fooled.

Read more on GPG's trust levels: https://www.gnupg.org/gph/en/manual/x334.html