I've found the "easy question" captcha to be more efficient than the standard captcha as well. I've used reCaptcha v3 and had success, but it does seem like something that could be bypassed, although it actually seems pretty good in my experience. Are you sure you implemented it correctly?
I wonder if they are accessing the shared file to get around all of your security.