Need advice on how to block individual user

We have an individual who is using stolen cards to place orders on our site and we’re at the end of our rope trying to block him. He’s constantly changing his IP address, so that’s not an option. We thought we could block him using his UserAgent since it looked like a unique one (Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36), but come to find out it’s one of Chrome’s UA’s so that’s not an option.

I’m hoping someone here has had a similar challenge and figured out a magic way to target someone like this - even outside of CloudFlare if CF can’t get the job done.