Although, on the one hand, I want to basically praise, and agree with what you have been doing and done. On the other hand, ...
I checked the registered email addresses of all these users (just a small handful at this stage) and all but 1 have been compromised in a known data breach involving one or more third-parties.
Before anyone panics, it's important to stress that the breached sites/services do not include EEVblog, the forum or anything connected to Dave.
How exactly did they (the hackers/spammers, or whatever they should be called), know which emails, belonged to EEVblog members?
Did they (something on the lines of) have a big list of compromised emails (tens of thousands, or millions or more), and speculatively, attempt to use each one, to either log on or change passwords, on this forum.
Because if they did, and it was scripted/automated (on their side). Server/router/etc automated rules (whatever its called), possibly could have auto-banned the (presumably) single IP they used, for such attempted account breaching. I.e. A single IP address, shouldn't be able to try many different email addresses, without being challenged and/or given big/powerful captcha hurdles.
Also, the webpage which allows changing forgotten passwords (if applicable in this case, I don't know). Could have a powerful captcha, to hopefully largely advert mass automated scripts from trying out a massive lists of compromised email addresses.
One solution, would be an automatic, big captcha or set of them, when logging in to an account, which has been dormant for a period of time (no logins or posts). E.g. 1 Month.
The current CAPTCHA's, seem to be way too easy. E.g. One seems to always say what is 84 / 2, which of course is 42. But there is a second one, which is a little bit difficult, not not especially so.
Obviously there are many ways of improving (if necessary), such security. There could be add on packages, which improve it, for the forum software.
Maybe the differing country code (from the IP address), I presume. Could flag a possible security breach, and/or increase the number/difficulty of CAPTCHA's.