Won't work. The botnet doesn't have to crack a specific account. There are tens of thousands of computers (lets say: 10000) trying out tens of thousands of accounts (lets say: 10000), probably only doing one attempt at guessing the pin. With a probability of 1:10000 for guessing right, one account is bound to be compromised with each single run.
HTB.
If I understand what
serpens is suggesting, it is in essence a temporary locking of the account on repeated attempts. He says 1 second after 2nd attempt, 10 seconds after 3rd, etc...
Now, we can use that principle and use different lengths: short delay (seconds) up to 3 attempts but then locking you out for, say, 15 minutes or 1 hour, after 3rd attempt. If so, cycling through a large number of pins will take considerably longer (weeks rather than minutes). Whichever computer you have at your disposal does not change anything if you are locked after a number of consecutive attempts regardless of the origin of the attempt.
AIUI, it is a fairly widely used security feature to temporarily lock somebody out of their account after a pre-defined unsuccessful number of attempts.