[jjjjjjjjjjjjjjj]

I spent a lot of time playing cat and mouse with this type of toll fraud in 2022.

1. Rate limited SMS by number/ip: bypassed by large number of proxies/vpn.

2. Added captcha: bypassed by attacker manually signing up thousands of accounts (mechanical turks?) over months and then iterating over them for login OTP.

3. Identifying what carriers/operators are involved and blocking them asap (usually obscure ones).

4. Careful monitoring of SMS send rates and alerting of anomalies to investigate.

[from]

Good advice. By the way, the reason captcha didn't stop it is because Recaptcha is $2 per 1000 solves on 2captcha.com (or any other solving service), at $0.02/SMS this only lowers their profitability by 10%.