I don't really see how this is a solution if 28k signups takes down your DB. Say you're targeting a hash difficulty that adds around 1 full second to the signup process for real customers on lower end devices running your in-browser hashing code. The CPU on whatever machine your spammers are already sending the spam requests from (which was likely mostly idle while running a script bound on network IO) can probably run a native version of the hashing code at speeds that get ~100 hashes per second or so. So it would take them what, 5 minutes to send enough signups to take down your database again? Numbers might be off since I'm just ballparking, but even if it takes them an hour, is that acceptable?