And in addition to the implicit proof-of-resources of forcing attackers to run a bunch of Chrome slaves, there' are also explicit POW/S challenges in the code, according to the article. It's quite an old idea [1], to add a cost which is trivial for users but a significant overhead for spammers
And if you don't stop them, you at least slowed them down big time. This could also be enough to make the attack useless.