Fancy seeing you here, Marco. Anyway, I'd like to state my limited experience
with a few hijacking cases in my past registrar life.
We first try to verify if it's indeed a case of a 3rd party who had accessed the
domain name account without the actual owner's knowledge and consent. We
check a couple of things like IP address used to log in, any password recovery
options utilized, if the caller's really the owner, etc. (can't say what other bits
to look into, of course...)
Naturally we lock the domain name if it's still with us, but we mainly do that if
we're able to confirm it's indeed a hijack. I remember one case where a name's
WHOIS details have been changed during a call, and that's despite changing it
myself after verifying the caller.
Of course, things are more challenging if the domain name's hijacked and then
transferred to another registrar. In that scenario, we ask the customer to sign
our waivers absolving us of liability, but we work with the other registrar after
that.
Some of them work similarly to us in the sense we sign our respective waivers
and all. It's easier if the domain name's with a registrar we have pretty much
built a lot of goodwill with, but worst case is being told to get a court order.
But if it's a case of a domain name registered under a webmaster, and his ex-
client calls asking how to access it or so, then that's one time I get into my
"bad news" mode and tell them to get a court order or find him or her. That's
not always a hijacking case, and it's difficult (if not impossible) to determine if
a hijacking occurred.
I'd say it's like any other thing: whether a hijacked domain will be returned will
depend on the situation. It's case to case.