As someone who works in IT Security, the captchas are a necessary evil at this point. Without captchas, sites get slammed with millions invalid or malicious requests every hour. The sites I work with will see error traffic spike 3000% or more from credential stuffing attacks alone. These attacks are so highly distributed that simple IP tracking and banning all but ineffective anymore. And about 99.99% of the malicious traffic comes from VPNs and hosting providers. Unfortunately botnets and the people that run them are getting smarter and smarter about constructing the traffic to avoid bot detection.
tldr; the most effective tool to keep a site up and running and accounts secure is unfortunately captchas for VPN users.
Cap