If i'm right srmed2000 is using hotspot to authenticate wireless users via mac so hacker uses their mac to steal their internet.
Well, if that's the case, there's almost nothing you can do about these hacks becouse you can't differ ppl that is cloning mac address from regular ppl. Sure, you can use the rule above which will block the regular user as well, but hacker will surely have all macs from that AP and that rule may just annoy him but not stop him.
My advice is to use user/password for hotspot clients rather than mac login, at least for users of that AP. Other alternative is to change regular users mac but that may be problem and it will work for a short time.
You can use some equipment/packet sniffing/radiate source positioning to track him, and when you got him... you know what to do - that will make an example for others.
And btw, you should learn basics of the Mikrotik first.