I wouldn't want to get too deep into speculating and conspiracy theories but since I had posted details about the flaw, I started to think a little about how I would have set it up if I wanted to take advantage of it. Maybe this is what has been going on with a particular person.
Now, this is speculation; there is no evidence for it that I know of. I'm not saying this is what was happening, but it may explain why Nominet couldn't spot what people were continuously telling them.
Let's identify a totally fictional character that has been catching names well above what was statistically possible - Person X.
Person X had access to at least five other tags; of this, I am confident. Now if these 5 tags were the ones fiddling the DAC and the delayed DAC allowance, but reporting DAC responses back to the clean character Tag which was openly owned by Person X. Person X could fire off the EPP command to register the domain names when he got the signal.
If Nominet checks the DAC logs of Person X, all appears correct, and there is no history of abuse. The proxy tags are the ones doing the abuse.
Why would anyone think to check the DAC logs of Tags that aren't catching anything?