Stupid Chinese and Russian bots!

I noticed a sudden increase in my bandwidth usage and decided to dig through my logs. Turns out, bots from China had found my site and brought along a few others. Great.
Most of the activity was focused on login and registration credential stuffing—nothing too serious, just bots testing stolen passwords to see if they could get a match.

I ended up blocking Africa, South America, and Asia using Cloudflare and added some honeypots to my form fields. This reduced the problem significantly, but a few still managed to slip through. Without going full 2FA or using Captchas, what methods have you guys used to mitigate this?
I’m open to using 2FA, but it can be a hassle.
Update:I made several changes last night, shortly after posting. Just sharing an update in case anyone else faces a similar issue.
I blocked all IP addresses from Asia, Russia, and South America. In the past 20 hours, it’s blocked 91 attempts from China, 16 from Russia, and none from South America so far.
I also added honeypot input fields that redirect traffic to an error page if triggered on the backend.
In my Go fiber configuration settings, I varied actions by endpoint. For registration and login, I limited new registrations to 1 attempt per IP every 24 hours and logins to 3 attempts every 2 hours.
All suspicious activity has stopped for now.

The v3 Google reCaptcha is “silent”. That is, people won’t even be aware that a captcha exists. However, it is very effective at blocking blatant spam.

If you’re under attack, captcha can be a costly solution. This is what I recommend:

You should ban traffic from China and Russia if you don’t have any users there.
Stop accepting any strange requests. Make sure that each authentication request comes from a browser and has a correct header.
After X unsuccessful tries, block any IP address; reset the block after Y hours to prevent blocking valid traffic.
Even if bots change their IP address, you can still detect them with technologies like FingerprintJS.
if you still have a problem after that, 2FA is your only answer

You blocked 6.5 billion users on three continents as a solution? That will seriously impede your user acquisition efforts.

If you want to stall on 2-factor, I’d recommend finding a way to detect the attack and enable a non-transparent Captcha until it stops.

Typically, you will receive either an excessive volume from strange nations or an excessive volume overall. When it hits a threshold, start requiring a high-friction captcha.
I’ve seen attacks recently that are not mitigated well by transparent captcha.
But long term, captchas are going to be obviated by AI, and 2-factor is your only long term solution, so when you have a moment, bite the bullet.

Since 2FA/2SA is not an anti-bot tool, I don’t think it will be very helpful in general.