If you are comfortable with SQL for database access, you can pull the list of usernames directly from the database. See for example:
In one case, we saw only illegitimate users coming from @lexxip.com.
In the past, I used the following query (in OJS 2.x) to describe user activity in order to identify suspect users:
select
u.user_id,
u.username,
u.email,
u.first_name,
u.middle_name,
u.last_name,
u.url,
u.disabled,
u.date_registered,
u.date_validated,
bit_or(r.role_id) roles,
count(distinct a.article_id) articles,
count(distinct e.article_id) editing,
count(distinct v.review_id) reviews,
group_concat(b.setting_value ORDER BY b.setting_value separator ' ') biography,
group_concat(c.body ORDER BY c.body separator ' ') comments,
group_concat(s.setting_value ORDER BY s.setting_value separator ' ') signature,
count(distinct c.comment_id) comment_count
from
users u
left outer join user_settings b on (u.user_id = b.user_id and b.setting_name = 'biography')
left outer join user_settings s on (u.user_id = s.user_id and s.setting_name = 'signature')
left outer join comments c on (u.user_id = c.user_id)
left outer join roles r on (u.user_id = r.user_id)
left outer join articles a on (u.user_id = a.user_id and a.status in (1, 3))
left outer join review_assignments v on (u.user_id = v.reviewer_id)
left outer join edit_assignments e on (u.user_id = e.editor_id)
group by
u.user_id,
u.username,
u.email,
u.first_name,
u.middle_name,
u.last_name,
u.url,
u.disabled,
u.date_registered,
u.date_validated;