A lot of companies have done this and do this kind of thing as a service.
That said, this report's objective isn't really to measure click fraud detection on those networks. It's to highlight that one doesn't have to be very sophisticated to commit ad fraud (which is absolutely true). It also has some really odd ideas (e.g. they contacted the Chrome team to let them know about the existence of the stealth plugin in, and were surprised that the Chrome team said that the browser was working as intended so there was no action for them to take on their part... they similarly drew a false equivalence between defending account creation vs. defending click fraud). They also seemed to think that sites should be blocking bots, which is of course not what you want to do, because that provides a feedback loop to the fraudsters so that they can figure out how to overcome the measures. You want to proceed as if it is working, even let it show up in the ad campaign data at least initially, and as much as possible make corrections in ways that make it difficult to determine which traffic has been identified as fraud.
https://fingerprintjs.com/demo shows that Tor can still be fingerprinted and uniquely identified across IP addresses. Your Javascript (navigator) user-agent and timezone are some of the dead giveaways as they leak the true values.
Tor will hide/obscure your true identity (i.e. the one that gets fingerprinted when you use a non-Tor-proxied browser) behind a separate, distinct "Tor identity"; but Tor makes no claim to be fit-for-purpose for obscuring/garbling the persistent aspects of said "Tor identity." (The Tor Project has this as a long-term goal, but they're nowhere near there yet.)
There's a "new Tor circuit for this site" button in the Tor Browser, but it's for circumventing dumb WAFs who've blacklisted a Tor exit node's IP. It's not for OPSEC.
> Javascript
Nobody who cares about doing anything secretive is using Tor with Javascript enabled. (Fun fact: most of the "dark web" stuff operates using early-2000s-era phpBB forum tech, which works perfectly fine without JS.)
https://www.methodmi.com/reports/in-plain-sight