Disable any public api access and implement something such as
https://www.imperva.com/products/advanced-bot-protection-management/
(or any similar native WAF measures that may be an option if you use a CDN - cloudflare have solutions)
On the wonderland and abracadabra websites
This will help ensure there’s a person at the end of a session and not a bot.
Also look at legitimate traffic profile and build blocks for everything else (I.e user agent strings, geolocation, requests per second - capcha?)