I am chiming in mostly as a data point. I have been usings WHMCS for over 10 years and never had any major issues up until now. As of a few days ago I am getting hundreds of fake users per day which is taking an incredible amount of time to delete and try to mitigate.
I have tried all solutions mentioned in this thread (with the exception of the rewrite rule, which I just added now) and typically whenever I block and IP, email, domain, add a custom field, etc. they just change their attack vector a bit and the fake accounts start to come back a few hours later. I hope the rewrite solution (mentioned above) fixes this.. but my hopes are not all that high. They will likely just switch to HTTP 1.1. I would not be surprised if they are following/reading this thread.
I wish WHMCS would allow us to:
1) Mass delete users
2) Automatically delete all unverified user accounts within X hours
3) Have a better captcha system since it is obvious the attackers are able to bypass both the WHMCS captcha and Google's ReCaptcha
