The data here is clear. 80% of clicks are from non JS clients. There's no getting around this. I run an ad network, a real-time analytics product and a WordPress security product that provides real-time traffic and we use JS vs non JS to distinguish between human and non-human for our customers and it is 95+% reliable.
As an ad network provider it's your responsibility to filter spam clients based on heuristics like click frequency from a geo location, JS support in clients, behavior of ISP IP blocks, etc.
It may be that this customer was specifically and exclusively targeted, but even so FB should have mechanisms in place to deal with and block this. This is not a good sign, but then as I've mentioned before I don't think ads is a viable model for FB, so perhaps their energy is being directed elsewhere.
As an ad network provider it's your responsibility to filter spam clients based on heuristics like click frequency from a geo location, JS support in clients, behavior of ISP IP blocks, etc.
It may be that this customer was specifically and exclusively targeted, but even so FB should have mechanisms in place to deal with and block this. This is not a good sign, but then as I've mentioned before I don't think ads is a viable model for FB, so perhaps their energy is being directed elsewhere.