Shopify store owners are experiencing widespread bot attacks creating fake abandoned checkouts, typically using the address “street 10 apt 2” with various email providers. These bots generate fraudulent customer records, risk email domain blacklisting through automated abandoned cart emails, and severely distort analytics data (conversion rates, customer counts), making marketing decisions unreliable.
Key Issues:
Bots appear to be testing stolen credit cards, creating chargeback liability
Third-party apps like Blockify and Negate Bot Protection prove largely ineffective
Shopify restricts checkout page access to apps, limiting protection options
Advanced bot protection only available on $2000+/month plans
Removing $0/digital products from stores (most effective workaround)
Disabling cart availability for targeted pin codes
Manual IP blocking via customer data requests
Regular deletion of fake customer accounts
Community Frustration:
Multiple users report this issue persisting for 1-2 years with minimal Shopify support. Several merchants criticize Shopify for using Cloudflare internally while preventing customers from implementing similar protection. One developer claims to have created a custom solution reducing daily abandoned carts from 2000+ to ~10, with plans to release as an app. Some users are considering migrating to WordPress/GoDaddy for better security control.
Summarized with AI on October 24.
AI used: claude-sonnet-4-5-20250929.
I recently started noticing fake abandoned checkouts generated by bots. Email addresses could be gmail, hotmail, or anything. Address seems to always be “street 10 apt 2”. For some, this is actually completed transactions. Reference additional threads on this topic here and here.
This creates a few issues and existential threats to a business:
floods your backend with fake “customers” with unusual but generally believable names.
puts your domain at risk of being blacklisted from sending emails (if you have too many automated abandoned checkout emails going out to fake email addresses, or due to these fake customers getting subscribed to your email list and you accidentally sending out too many automated emails to fake email addresses).
I can’t figure out any reason for this activity except these are fraudsters testing stolen credit card numbers. If that’s the case, if a transaction is successful, your business will be liable for chargebacks and dispute fees and at scale, this will black list you from using a merchant account.
I have tried installing Blockify IP Block app which was completely ineffective for blocking this activity, and learned the following:
I tried everything to make it work, but apparently Shopify prevents third party apps from doing anything with a checkout page, so, this app cannot prevent bots from accessing the checkout page. Even setting the app to block all non-US traffic, I was still regularly receiving fake checkouts from other countries/Russia.
Apparently, Shopify DOES have a feature to prevent bots from using the site, but it’s only available to the top paid tier at $2000+ per month. (Despite being a tiny store with minimal actual traffic, I’m seeing a lot of bots and I am shocked that Shopify prevents us guarding businesses of all sizes against such critical and existential threats!)
My best understanding of the situation is that scripts are being used to query a site’s code to find the lowest-priced Product that’s Active in the Online Store (this explains why they are adding “unlisted” products to their carts) and then using that product’s URL in a script to go directly to a checkout page with that item in the cart.
Potential solution / temporary workaround:
It occurred to me that bots may be preventing from testing CC numbers on my site if I ensure that all of the products available are physical products that require shipping. This makes the website a hurdle as a tool to mass-test credit card numbers, since it’s easier to test on sites that offer gift-cards and donations.
Since removing my hidden gift card option, I have not seen any bot-generated abandoned checkouts, so seems to be a simple solution that worked!
Other tips
To find the IP address of the source of an abandoned checkout (or any customer), navigate to that customer record, and from the options menu for the customer click on “Request Data”. This will email your admin account a link to download a CSV with all customer data, including all their activity, sessions, and IP addresses for those. You can copy and paste these into an IP Blocker to attempt to block further activity from that IP.
Delete the customers created by these fake checkouts to keep your subscriber list and customer metrics clean (but if you need any data from the customer profile, make sure you request it first, before deleting!)
TL;DR: Remove any $0 or digital products from your site if you have the option. Do not just remove links to them, but change the settings in the product to make them not available in Online Store channel or set as Draft. Or, perhaps try forcing collecting physical addresses even for digital products, that might prevent the bots, too!
This issue took a few hours out of my week to mess with, so I hope my findings help shed some light for others!
Dealing with fake abandoned checkouts and fraudulent transactions on your Shopify store can be a challenging issue. Here’s a comprehensive approach along with additional steps to mitigate this problem:
Remove Hidden Gift Card Options and Digital Products
I just noticed the same thing. I have shipping on all my products so no charges went through, but now I’ll have to remove them manually from my email list.
This has been going on for almost 2 years with our website. It’s the identical address, just a different name, email, City and State. The email addresses are legit because we’ve been contacted by some of them (the actual owner of the email address) asking how and why they are on the marketing list. Being blacklisted for something we can’t control is super frustrating and a sign of poor development from Shopify.
We have spent so much time navigating this mess, chatting with Shopify and manually deleting accounts I am exhausted. One of the big issues we have now with this is that all of our data is compromised. When this individual creates a customer, adds products to the cart and abandons it over and over, it leads to huge inconsistencies with our online store conversion rate. It’s showing that our customer base is growing but is massively inflated with fake accounts. How do you decide where to add marketing dollars if your data is incorrect? How do you plan product placement by market if data is incorrect?
One other thing I was thinking about is if there is a way to limit our site or checkout page to US only IP Addresses? I know you can use VPNS and I am sure this will impact sales in some way. We don’t ship to customers outside the US so does anyone know if this is possible and potential impacts?
In the end, Shopify really needs to step it up with ways of preventing this stuff. We shouldn’t be the ones responsible for coming up with workarounds or fixes for a system that we’re paying thousands of dollars for annually.
This is best if monitored regularly, but retroactively you can run a report of your entire customer list, filter by everyone with these same street address, and then go in and delete all of those customers from your system. Then, you need to be proactive about this moving forward so you’re not sending out newsletters to these fake subscribers. If enough of them mark your emails as spam, your domain will also be blacklisted from ever sending marketing emails. Massive existential risk for business. See if you can remove the products from your store that are creating these opportunities, and if that doesn’t work, see if you can find an app that reliably blocks non-US IPs and VPN users from accessing your checkout page. Blockify is supposed to do it, but it doesn’t. There may be other solutions. Otherwise, there is a whole checklist of measures one can take that someone posted earlier in this thread. Thanks everyone for your contributions to the conversation!
I 100% agree. I litterally am looking at different options because shopify staff are a 3rd party call center in the Philipines(they work pretty hard) that is only equiped with the same resources that WE the shopify Clients are in their resource section. Shopify is litterally a closed off platform that WON’T allow us to clip in REAL bot protection software like Cloudflare or something like this because of shopify’s ego issues not wanting another service above theirs acting as a filter for the bots. They litterally are going to lose ALL business because we Litterally CAN NOT protect agains BOTS with their set up. Cloudflare is a professional service used by Big prefessional websites for bot protection and cybersecurity by acting as a proxy for your domain and incoming and outgoing connections. This is the Only legit method to stop bots because of the layout of shopify being 3rd party. The issuse is 100% Shopify.
Can confirm your frustration with customer support and having zero tie-in to Product Dept at Shopify and Product taking zero responsibility for their product!! And the Philipines part. I’ve worked with those centers at my old tech job, and can confirm those are good-hearted, very intelligent and hard-working humans, the entire breakdown is all on Shopify and their culture/system. Nothing drives me more mad than talking to someone who has literally zero understanding of the product or the customer or the industry because the company decided to outsource their customer support! It’s insane! This is definitely the #1 threat to Shopify’s business and longevity.
HOWEVER I do know Shopify already uses Cloudflare for their own servers, something they could theoretically roll out to storefronts on their platform?? I us a VPN at all times, every time I try to log into my Shopify I see the Cloudflare page that asks me to confirm I am human.
Yeah, exactly. Its really hypocrytical of shopify to use cloudflare for themselves and for all this BS on us.
Ok so you and I and many of us are all in the same boat…
Our issue: Bots that are Advanced teir Headless browsers that can only be stopped with a challange.
Provided solution: Get bot protection software.
Reality: The only metrics that can differentiate a bot from a human are bounce rate and failed checkouts AFTER the fact…So All bot software being allowed by shopify is designed for the most *Low/Basic teir" bots that will be stopped by a good robots text.
NOTHING WORKS
Solution that we should have access to: Use cloudflare…OH WAIT…We can’t because despite shopify finding it useful for its own servers, isn’t a good enough reason for us to need it too.
MY SOLUTION:
Boycott time!! Leave and go to godaddy.com and build a store there to bypass the “third party” preventing us from using legit security software that WILL block bots.
Wix wont work. ArtsStoreFronts wont work either because they are shopify based.
By the way what industry are you in?? This is also a question for everyone else too! Bots supposedly attack ads and stores with certain keywords and directions.
If only this were true. Negate did absolutely nothing for us to stop the bogus abandoned checkouts. Before negate, we’d see anywhere from 500-1500 abandoned checkouts, almost all of them with the same address. I let negate run for a few days, the last 2 with maximum protection. No change.
Kedra did nothing to stop the abandoned carts. We were getting north of 2000 abandoned carts each day. Tried Kedra. It did nothing. In fact, at one point, it took our website down. Every visit was flagged as a bot. This went on for almost 24 hours. Didn’t know what was causing it until I uninstalled Kedra and things went back to normal. I haven’t used their Checkout Rules app but it doesn’t matter. It still would not block abandoned carts.
I finally decided to write something myself and now we get 10 abandoned carts each day.
Ooph. I’m making an app out of this. It’s actually an extension-only app. I’m not sure when I’ll be ready to release it but it’s been stable on the sites that are using it almost 2 months.
I’m looking at one of those sites this morning. Since midnight, there have been 521 bot attempts that would have created an abandoned cart. 418 of those reached checkout. None of the “checkout” bots was able to create an abandoned carts. Of the remaining 103 since midnight, I have 7 abandoned carts. I’m still trying to deal with those but since, for all my eval sites, the bots reaching checkout are, by far and away, the greatest number, I’m feeling pretty good about the whole thing.
Hi all, I am too facing this same issue with bots hammering my cart/checkout pages. Shopify support got back to me and so did negate saying that the bots are not coming in from the front … but from the back. Server side! So the bot has direct access to a checkout link and there is no way to stop it unless you have access to the checkout page which Shopify prevents unless you are on plus. I can’t afford plus and this is a basic right to have your website secure regardless if you’re on plus or not. I have lost millions of dollars from these attacks and just realised after a year and half what the cause was ! I have reached out to Shopify for a fix and what they intend to do as this either needs to get fixed or sorted or I have to take my site elsewhere .. as these bots are running us to the ground anyway.. I have nothing to lose anymore. These bots that we are experiencing don’t need to place orders or whatever.. they are simply jumping on all at once and then bouncing which skews all of our marketing pixels with google and social media. Thus, affecting our data and conversion rate.
Negate Bot, is not going to fix the false analytics issues that misslead ads and SEO. Negate ONLY stops bots after they enter the site. It also does NOT store high level headless browser bots. Only my software stops bots BEFORE bots connect fully to the site.