We don't know what is happening on the provider side either, if the bad guy only observed hits in a specific range over a number of days, he will report that range. Other IPs in the subnet can be used for other purposes like servers, static IPs, non-renewing dynamic IPs (not renewing over scan period), etc. Also, they need not be dynamic at all, that is merely the most likely scenario. Given a whole block of static IPs, if you had 20 infected machines dispersed over 100 IPs, rather than listing IPs, you can just list the lowest and highest IPs to give a range where you are likely to get 20 hits when scanned again.
Has this information been reported to LE?