Adding to MainMa's answer...

Spammers trick others into doing the CAPTCHA for them

Basically, spammers set up a warez site or a porn site that appears to have a CAPTCHA on it, but it's not a real CAPTCHA. A bot pulls the CAPTCHA from the site they want to spam (or otherwise exploit), and then displays it on the warez site or a porn site where someone completes it for them. Then the CAPTCHA value is passed back to their bot...

A bit more on Spammers

I use reCAPTCHA, and I've found that it's basically worthless. I also use a custom spam filter that catches the spam that got past reCAPTCHA, and I need to review it every few days for false positives.

My forum is also all custom-written and it gets very little traffic. I don't believe anyone coded a specific attack to my site. Still, my spam filter catches 2k spam messages a day! None are ever displayed on the site. Spammers get no benefit from spamming me, yet they still do.

I can see patterns in the spamming attempts because I log it all. I can tell you this: putting aside how they get past the CAPTCHA, spammers are clearly using a brute force technique varying the fields that are filled out and the kind of data and word mixes that populate those fields. Apparently they do this so cheaply (including bypassing the CAPTCHA) that it doesn't even pay to do an analysis of the individual sites to see of if what they are doing is or isn't working.

Year after year, they continue targeting my site with thousands of spam messages a day only to get one through every month, and that one gets manually deleted a day later. It's that cheap to spam!

This is going to be a battle for years to come. Particularly for small one-man moderator sites like mine.

EDIT 6/22/2017 : I want to add that since this post google has completely revamped reCAPTCHA and as of this writing it has been working flawlessly. Though I suspect there is a bit of false positives or its a pain for users as post have dropped a bit since I implemented it. The 2 big changes are

1) They are using Images instead of text (So no more OCR)

2) They are combining it with the users activity across all site that use reCAPTCHA. So if you get past the reCAPTCHA on site A, then go to Site B it may not even prompt you to prove you are human! Also (I think) if you are hitting too many reCAPTCHAs across too many sites it will flag you as well. I am sure it is using other sorts of AI based on the users activity as well.

I'm sure its just a matter of time until spammers beat this as well...