Interesting! What I was thinking of was use of legitimate captcha integrations (reCAPTCHA, hCaptcha) in front of fake banking websites. Drives me crazy that there isn't an easy avenue to report those.
Oh some of them definitely use a real reCAPTCHA, hCAPTCHA, or Turnstile widget. It actually useful sometimes to track the same API key being used across multiple different domains
But yeah, I wouldn't even know where to report those API keys for abuse
