And by the time you've blocked them, they've moved onto other IPs. I worked at a company that took these attacks very seriously but never found a way to block them. We just watched and reset the account passwords to prevent the accounts from being used.

Stop reusing passwords.

Hackers are constantly trying websites everywhere with username/password pairs stolen in breaches. Its programmatic, uses rotating proxies, and is hard to stop for most security/IT programs. If you reuse passwords, this will happen to you.