It's effectively a rate limiter, where before the Bad Person/People could make 10,000 users per unit of time before, now they may only make 100 users. It won't fix the problem entirely, but it's better than nothing.

But people can still run several sessions of this.

So if I have 100 cores available, I can run 100 sessions in parallel.

See my other comment about auto-scaling. Adjusting difficulty for PoW is trivial. Have the server crank up the challenge if it's getting more traffic than normal.

Or base the challenge difficulty based on other parameters. For example if your IP has had a lot of failed login attempts recently the difficulty can be increased.

Right, but they still will be slower than if there was no protection at all. 100 slower cores vs 100 cores churning out requests ASAP.

For a determined or resourceful attacker, this alone won't be good enough defense, but I can see it being a layer of defense in depth.

I don't get this. People can still create 1000s of fake users on my website just by _buying captcha solves_?

Type of spent resource is rather irrelevant, isn't it?

yes, but they cant create 1000s of fake users on EVERY website, unless they wanna shell out millions of dollars per year for the compute power required.

It puts a price on doing so, a price which you could increase based on demand.