I've recently noticed a bot using a Russian IP address 91.241.19.84 that has tried to hack my site every day since the 8th of November (1.73k requests so far).

Question: is there something more than just blocking the requests that can be done?

Is it legal/possible to hire an ethical hacking company that can go on the offensive against these malicious actors to rack up server expenses for the hackers running the bot or some other lightweight, non-lethal deterrent?

There's a current trend happening with people building API phone call bots designed to flood call scam centres. Is there an equivalent of this for web bots?