Most domain registrars allow you to add "privacy protection" for a nominal fee, which basically replaces your name under the WHOIS registrant info with theirs instead of yours. While this effectively shields outsiders from discovering who you are, the registrar likely knows the information of the original buyer...
It probably can be handled by a lawyer and/or trust as well. Even if they get past the registrar privacy, they get some business entity or lawyer contact.
It's hosted by Github pages which only needs an email address and is free so no billing info. Domain requires payment and stuff but you can easily use whois privacy protection. Looks like they use "Whois Guard Protection".
In the end they are relying on both whois guard and the domain registrar to keep their anonymity.
They could have registered the domain in the name of a legal entity registered in a state like Wyoming where company directors can remain anon. Basically shielded behind lawyers and shell corporations.
There’s a UDRP precedent where the panel held that registering a domain via njal.la constituted bad faith, so their business may not be on entirely solid ground.