Bad actors might use the data you're publishing to fingerprint specific exploits to which the machines are vulnerable, multiplying the problem.
If producing an IP blacklist is one of your aims, divorcing it from any specific traffic would be more responsible.
You may also want to consider the risk traffic from compromised machines could leak PII (eg. say a script tried to use you as a relay to exfiltrate data) - and the ethical and legal consequences. A filter for SIN, credit cards, etc. would be a basic table-stakes mitigation step.
Hard for me to find much sympathy for negligent users who unintentionally allowed their home computers or phones to join a malicious botnet, or their ISPs who aren't stopping the activity. Even if it is my own grandma's PC.
I agree about the content though, there probably are a lot of actually innocent victims' personal information in the traffic itself.
it might be interesting to have an eye on this while you are talking to the phone scammer.
The aggregations of popular logins and IP locations seem interesting.
Files uploaded 25,522 (46 unique)
Malware uploaded 7,735 (43 unique)
I wonder what 3 files were so common that they were uploaded 17,787 times instead of malware.Try fingerprinting the behaviour in the sessions. Over time you should be able to distinguish between various automated tools and live people.