Again, wouldn't it be easier for the attacker to just buy a domain and use that completely undetected instead of having to use a rate-limited disposable email service?
You're assuming they're doing it hundreds of times a minute. Often they're signing up for the accounts by hand to get through the captchas. The rest of it can be automated
That's what I would assume most of them are doing, yes.
In this day and age I don't understand why they wouldn't be able to just use a headless browser instead of doing it manually - has labor really become this cheap?
Captcha and rate limiting solutions are extremely good at stopping completely automated signups. It's far easier to pay someone in India a few bucks to sign up for a hundred accounts so you can do card testing than it is to run a server and write software for it. Hell, most of these people probably aren't even programmers.
I think that's for the small players though as this should be pretty slow, expensive and have the risk of the "employees" stealing the data (the business they are in is practically stealing so I don't think they have high morals).
