If you manage to do it for only suspicious-looking login attempts, thats actually a great way to both stall them and benefit. it just feels so much win
but are these scripts sophisticated enough to run JS etc?
If you fail to detect a bad botnet once and show the mining script to an important crawler (like a search engine), and then land on a blacklist, it could potentially require a huge effort to get off it again. It's simply not worth the risk.
Some of them can run Javascript, I'm thinking specifically of people who write scrapers in things like PhantomJS (headless browser, very very cool software).
but are these scripts sophisticated enough to run JS etc?