Yes I see after looking at the various plugins on GitHub it seems they replace the & ampersand string with & when they pull contents from the HTML. They also fake / spoof referrers and can change user-agents etc but they do it properly not like the person who has ended up in my logs. As you said they did it is badly.
I feel this could be a loosing battle if they are spoofing the user-agent referrer etc it is pointless for me to block them since they will update their plugin to change it to match with legitimate web-browser user-agents like chrome, Firefox, Internet Explorer, Microsoft edge etc.
What a pickle this is :(
http://www.networkflare.com/