They couldn't do that at scale without being detected, no. There are various people actively looking for this, and the existing tooling makes it easy to detect.

>Browsers checks CRLs but are they checking CT logs to be ensure the cert they're checking was logged ?

Yes, all modern browsers require certificates to be in the CT logs in order for them to be accepted.

For example, we can easily pull up logs for gmail.com and see which certificates browsers would accept. https://api.certspotter.com/v1/issuances?domain=gmail.com&ex...