How and why would CB captcha work any different than the captcha I'm using now?
E-mail confirmation isn't on, because if they don't get the e-mail they can't get the instructions on how to activate their account, and if they don't follow the instructions to activate their account, it never gets activated anyway, so it can't access the site.

We have alternative instructions for gaining access to our site.

I've sent you the URL in a PM.

I've verified that the security code is required to actually register, not entering it fails the registration. So either the bots are filling it out or bypassing it, or humans are making bot like accounts.

No sure I understand this - this would mean that I would not even need a live email address to register. Just makes things easier for spammers.

They can register, but they can't access the site. All accounts are manually activated after they follow the instructions in registration emails. Since spammers can't and don't follow those instructions the accounts are never activated. The issue isn't so much with spam on the site as it is their emails end up bouncing, so I end up getting repeated notifications about failed deliveries of the activation e-mail. As more spam accounts sign up, I get more and more notifications and of course google turns around and retries those messages and they notifications just grow exponentially.

Not receiving the activation email doesn't mean that they cannot try login in a couple of days after their registration attempt.

They could, but it's pointless. Their accounts are never activated.

Well if bots are really involved and not humans, then the code would need to be able to recognize the image and automatically populate the field.

As recaptcha is very popular I can see spammers investing in coding this as it would have use on many sites.

CB Captcha basically works the same way which the exception that it does not access a different site to generate the image (everything is on your site).

So basically CB captcha is a different captcha, not inherently better or coded in some other way that would make it less vulnerable to bots? The plugin I'm using now also has an option for "mycatpcha" which is a captcha hosted on your own site, I just enabled recaptcha because it was quick and easy. Maybe I'll try the other one.

Just a follow-up. changing to mycaptcha which is run locally off my server has reduced spam sign-ups to zero. I find it unlikely that they just stopped signing up the day I changed my captcha, but obviously something is off with recaptcha or the integration.