I've noticed there has been another case. The account was dealt with before I could check its age, but given that I didn't spot any suspicious recent-looking accounts, I'm going to assume it registered more recently.
I'm going to look at integrating reCAPTCHA, which should be more resilient than SMF's built-in CAPTCHA - I did try using an SMF addon, but it didn't work, so I'm going to have to try doing it manually. I'll also update the forums to SMF 2.0.18 at the same time (I've already done this part in the source code, though haven't pushed it live yet - in case of a future need to restore to source, it should be safe to just directly restore this 2.0.18 commit with the existing database, rather than hunting down the last 2.0.17 commit).