The whole *point* of any 2FA is that it acts as a filter for automated, high-volume login attempts.
Hackers can spam a million accounts a minute, actual users might rely on 2FA a handful of times a week.
Almost by definition, the vast majority of 2FA requests are malicious.