It seems someone wrote an application to generate many thousands of authentication request from authentication service we created. They used some phone numbers to verify account that seems temporary (acquired from voip service). This seems a little wired. Why someone would do that? He managed to make the system spend some small amount for making the calls but that is probably what they spent to receive the phone calls.
Sometimes crackers do this to obtain accounts to your service or to reverse engineer some of their already stolen accounts. Not much can be said since you haven't specified the service in question.<p>You could implement CAPTCHA to your system and see if the bots struggle on it. Next step from it would be to make a CSRF protection, which is not visible in DOM. Something like this is used on Instagram.