Yep, Russia, Ukraine, and other eastern Europe seem to be lax about shutting down robo-spammers and scanners for vulnerabilities to take over a website for use as new spammer/malware distribution. Sigh.
I've found that even using a static passcode with Login Pad captcha, the robots haven't conquered it yet. They're already using Google voice-to-text to solve Google reCaptcha V2 sites easily so that alone is insufficient to protect from spammers. That's why we use two forms of captcha for registrations on WXForum.net -- only the very occasional human spammer slips through now.