I already mentioned about using OCR Tesseract in my list and @OP didn't seem to care. You're 100% correct saying that it's possible to create thousands of accounts though. I could create a POC right now and make 100k+ accounts. Email verification / authentication is easily bypassable. I can just set up a mail server, buy a basic domain and just iterate through random email addresses on that domain and fetch the verification codes and verify them. This is an extremely simple process and I could clog up the server with thousands of users.

In addition to this, there are more vulnerabilities that have been unpatched.
1. Post variable country on http://www.100bit.co.in/trade.php is SQL injectable.
2. Post variable trade on http://www.100bit.co.in/trade.php is SQL injectable.
3. http://www.100bit.co.in/support.php?mode=change_ststus&status=1&ticket_id=[ticketid] allows you to close or open any ticket regardless if you own it or not. This also has no CSRF or captcha protection on it.
4. http://www.100bit.co.in/order.php?mode=del_interest&id=[interestid] seems like you can delete other peoples interests as well.

I could probably find even more, but seeing as the owner didn't want to pay me out for the others I found even though they were totally unique to the previous founds, I'm not going to waste anymore time on it. 100bitcoin, when you feel like actually paying out, then I may consider taking another look at it.

If you reported it before me then you should get the bounty.