https://www.icann.org/resources/pages/abuse-2014-01-29-en
That said there are some ways to mitigate this problem:
a) The domain owner can publish a 'CAA' record(s) in their DNS zone, which list Certificate Authorities that should be allowed to issue certificates. If Let's Encrypt sees this and it is not in the list, they will not issue an certificate.
b) Certificate Transparency: Let's Encrypt and other CAs inform neutral CT server about newly issued certificates. An organisation that is often targeted by abuse (e.g. PayPal) can monitor these and react appropriately if they detect malicious behaviour.
