I was thinking you could hard-code in an array of "illegal" bitcoin addresses (those of the perpetrators) so that no client will invalidate Bitcoins originating from them. Also, you could hardcode in an address that starts with the amount of Bitcoins stolen, and give allinvain the private key. I'm sure it could be done though I don't know the technical specifics.

You could actually turn it into an entire component of the client where you hardcode in reversals of fradulent activity, based on democratic and fair judgements.