Limiting req/s by ip to captcha is not solution, it's just patch which is not fixing fully of issusie

I wrote only of found issue's, i also know about tweaks which you made yesterday/today (maybe not all, but much )

Add to 2nd - simple downloading static files also can be a require to make sure it's not a bot

Also , 1 very tricky solution can be - coordinate of clicking of interaction buttons ( you can send info to your server, just to explain of user actions, but as expirience it's hard using, cause emulator can also randomize if he will find this trick ) - same coordinate's can prevent emulator browser bots

But don't ban bot's ip when they did mistake, cause it's giving a information which mistake they did, wait some time , also good move to hide error on "Game has been attacked"

Wallets bans can be useless, cause you can make 1 wallet for check theory ( don't forget about proxies, which can easy self-maded) . And also make script to transfer all crabs and make teams to another wallet ( it's not too hard )

Also i would recommend to not ban bots, just fix issue's. Cause making ban - you not taking additional info's ASAP