When the CA is giving you, supposedly the owner of someguy.example, a new certificate, how do they verify that you're you first?
One common way is they tell you a magic, unique string and you serve it under someguy.example/.well-known/whatever and they connect to you and verify it's there and matches. But if BGP is being hijacked, when they connect to you, they could really be connecting to some scammer. How would they know? So now some scammer has proved they're you and they'll be given a valid cert for someguy.example.
The other common verification methods have similar holes.
One common way is they tell you a magic, unique string and you serve it under someguy.example/.well-known/whatever and they connect to you and verify it's there and matches. But if BGP is being hijacked, when they connect to you, they could really be connecting to some scammer. How would they know? So now some scammer has proved they're you and they'll be given a valid cert for someguy.example.
The other common verification methods have similar holes.