I looked at the lemmy stats again today like the last few days (since the 1st of July), apparently tonight there has been another wave of bot signups.:
Lemmy: 1,555,395 overall users (+ 2363)
Kbin: 55,201 overall users (+ 433)
Active last 30 days:
Lemmy: 56,859 users (+ 1142)
Kbin: 55,099 users (+ 331)
^ 2023-07-02 20:15:00 CEST
Lemmy: 2,179,081 overall users (+ 623686, bots)
Kbin: 55,863 (+ 764)
Active last 30 days:
Lemmy: 59,438 (+ 2579)
Kbin: 55,532 (+ 433)
^ 2023-07-03 13:30:00 CEST
Of course “tonight” refers to tonight in central european summer time so it probably was more middle-of-the-day for you.
If you go to the site I linked at the beginning and sort by “Total users” you can see instances with 80000 users and 1 active user for example.
Open signups should be prohibited and affected instances should do something against the botted accounts or defederate. New instances should at the very least start using captchas and email verification.
Traditional captchas have been easier for computers than humans for a while. I imagine these “pick all matching” captchas aren’t far behind.
The main reason to do captchas nowadays is to keep the door closed. Of course they do not deter more expert-ish people, but opportunity “hackers” aka script kiddies. If you’re not using captchas you’re just inviting them to run a script on your site. Big sites use captchas, there’s no reason for the fediverse to not use captchas. We don’t need to be “special” in regards to security.