[Jhsto]

Sometimes crackers do this to obtain accounts to your service or to reverse engineer some of their already stolen accounts. Not much can be said since you haven't specified the service in question.

You could implement CAPTCHA to your system and see if the bots struggle on it. Next step from it would be to make a CSRF protection, which is not visible in DOM. Something like this is used on Instagram.

[kuasha]

Thanks. CAPTCHA/CSRF is not an option since it is meant to be an API called from applications. As a precaution make a phone call to verify the user. That guy went through all the things and theoretically we can actually track him down(costly though). I have blacklisted the phone- question is how many phone numbers do he have :). Added a per day free call limit to stop this for future attempts.