I've been running a stolen domain name recovery service for a few years now. Even though hacking into someone's account and transferring the domain name to themselves or transferring it to another domain registrar is a crime, it's never prosecuted (when they come to us the first thing we have them do is file a police report).

The problem is that most domain registrars won't help get your domain name back. Many domains are stolen because they hacked the email address and not the domain registrar account (even though that's how they got access). Most domain registrars don't care at all, and won't help. And there are no current ICANN policies for dealing with stolen domain names. Even UDRP is not set up for dealing with stolen domains. Although we were successful getting one back via UDRP since the business was using the domain previously and we ended up claiming 'commonlaw trademark'.

This is one reason why we've been so successful getting stolen domain names back for clients: we use some alternative methods, such as actually talking to people at the registrars involved and talking with the domain thief, to get domains back.