As someone who deals with these kind of attacks regularly, there are a few ways around this.

The first thing most hackers do nowadays is to use combination-lists. There are lists on the net with literally billions of username/email/password combinations that got stolen in the past years, for example from the adobe and linkedin hacks. Those passwords were hashed, but a lot of hackers tried to crack those passwords and shared the results. All those results combined form a ‘combination-list’ (both because they contain email/password combinations and because it is a combination of several hacks and cracking done by other hackers).

Those lists usually only have a few passwords per email-address, so even if the account is locked after a few tries, they probably are in already or have moved on to the next combination.

Those hackers also hide their tracks quite well and use “residential proxies” very often, which means those tries do not come from a single address, but from thousands of addresses, i’ve seen up to 60k different addresses in a single attack. So if you block an address after 5 tries for an hour they still can try up to 7.2 million combinations in a day.

Brute-forcing a single account with random passwords is rarely done nowadays.

But what i see the most nowadays is hacked google accounts; when they get access to your google account they get access to the passwords stored by chrome there, and if those are used the hit-rate (number of successful logins vs failures) is enormous