It's an attempt to thwart being fingerprinted.
If you see a ton of requests from the same subnet(s) and using the same (or very similar) useragents and the conversions turn out to be fraudulent, you can easily lump similar-looking transactions together and discard them all. "Hey, everything we see from 5.62.160.0/19 and using Chrome is fraudulent. I'm not paying for those."
In this case, the nefarious affiliate's revenue depends on his ability to make the traffic look unique and authentic. They likely grabbed a list of all possible historically-valid useragents and pick one at random per request to try to make his bot traffic appear to be sourced from a number of unique users.
Since he's cycling useragents on each request, it outs him just the same-- no legitimate user's traffic patterns look like that.
If you have a list of IPs, you should get the ASN/ISP data for each of those and refuse to pay for anything coming from a VPS provider-- no DigitalOcean, Linode, OkServers, Choopa, OVH, Hetzner, Amazon, etc. conversions should be trusted.
(Clickfraud is so rampant I honestly don't know why anybody pays to advertise on the internet.)