@yea I find your story very strange for a couple of reasons.
First, the Flic hub uses "locally administered addresses", which is indicated by b1 in the first byte of the MAC address (0x9A = 0b10011010). Such addresses cannot be looked up in an OUI registry. It's not a "fake address". It's just not a "globally administered address". This relates exactly to how "static random addresses" is commonly used nowadays in Bluetooth Low Energy compared to "Public addresses" in order to avoid the hassle with address registration in the production, since nobody believes that a 48-bit randomly generated address could be duplicated on a local network.
Now, if you have a gateway in your house in front of your LAN that connects to the internet, all internet traffic the ISP will see will contain the MAC address of your gateway, not any MAC address on your local network since that will be rewritten by your gateway.
Any DHCP traffic should also exist solely on your local network and should not be seen by an ISP.
The Flic hub runs the firmware from a read only memory, so I've hard to see that an intruder could have added some botnet software on it.
The Flic hub should only send NTP, DNS, DHCP, and mDNS traffic, as well as communicating with our backend over TLS. (And of course perform the actions you assign flic buttons)
I'd be glad to get more logs or info on what this "suspicious traffic" might be.