Here's how it works. When someone registers a domain with Domains by Proxy, the e-mail provided to the DNS system for administrative and technical contacts proxy through to the person who actually registered it. If that person directly replies to an e-mail, you can see who actually owns the domain.
As usual with anything technical, the weakest link is the human. The KGB used to say "it's easier to break fingers than it is to break codes". And it's easier to exploit greed than it is to subpoena Domains by Proxy or hack their computers.
Check this shit out:
Names hidden to protect the douchey, but if you've got ten thousand extra dollars hanging around, you can have uncov.com all for yourself.