Good point, but in that case why don't the ranges correspond to proper network masks? Most ISP's will allocate IP addresses from within an entire network mask rather than from some of the rather odd ranges that don't seem to correspond with any mask numbers.
You can certainly set up a specific DHCP server to return addresses within any range, even those that doesn't correspond with a network mask, but in general a hacker won't know what the specific DHCP ranges are for any particular ISP's servers. However the IP numbers will be allocated to the ISP in network mask ranges, the hacker can't in general know whether or if the ISP's DHCP servers match the network mask.
We don't know what is happening on the provider side either, if the bad guy only observed hits in a specific range over a number of days, he will report that range. Other IPs in the subnet can be used for other purposes like servers, static IPs, non-renewing dynamic IPs (not renewing over scan period), etc. Also, they need not be dynamic at all, that is merely the most likely scenario. Given a whole block of static IPs, if you had 20 infected machines dispersed over 100 IPs, rather than listing IPs, you can just list the lowest and highest IPs to give a range where you are likely to get 20 hits when scanned again.