It doesn't work.
Google is using machine learning to stop them while the machines are learning at the same time, using the same pictures. It's a cat and mouse battle of technology, except that it really isn't, it's an illusion. The bots don't have to necessarily be smart, Google only has so many images to feed you and once the machine learns them all the system becomes useless. I tried captcha, the bots broke through all the time. I required extra items such as social media links, they just added that to the bot. I tried blocking IPs by country, this blocked casual stuff but the pros use VPNs now and just reroute or register a server in that country with a stolen card (only has to work for a short time). I even had lists of free email providers blocked, this helped a lot actually but really impacted legitimate users as well since few use the one provided by your ISP (and you shouldn't).
What does work is setting up lists for site owners to share and report bad actors, like Project Honey Pot, which are then blocked. This has worked far better for my sites than anything else I've tried by far. Yes, there can be false positives (very few in my experience) and it is reactionary, someone needs to report them before they are blocked, but it cuts out about 99.99% of the spam and reduces user frustration by a ton.
People not running sites and servers have no clue the mount of people trying to hack into things, it's simply staggering.