It less likely than this is a hack but rather a bot spidering your site.
Your product pages, e.g. https://www.sparetoolparts.co.uk/milwaukee-ag-1000-spare-parts-list-type-4000458156.html have add to cart buttons which are "setLocation" and therefore suggesting to bots that they can be accessed with GET requests rather than form POSTs. It could simply be a bot finding these buttons and following the location set.
You could change each button so that it was in it's own form with a post with the correct URL which would make this less likely to happen.
From running whois with those IP addresses, it's not obvious which bot is doing that, perhaps you'll be able to see from the user agents that are visiting with those IP addresses. If you've tried to block but it's not working, could this be because you added something to robots.txt and the bot is ignoring these requests? Or perhaps the IP has just changed to a similar looking one.
... View more