PS reCAPTCHA really isn't enough to secure things these days. reCAPTCHA 3 is even bypassed, and scripts available to do so all over. You need things bots just can't do, and unique security questions are one way to do that. Considering these are bots trained to use forum systems, they're pretty sophisticated, and probably using these exploits. And it's easy to detect reCAPTCHA versions to determine a patch to apply.