Shopify Platform Failure: Card Testing Bot Attack Flooding Our Store With Fake Abandoned Checkouts

We are currently experiencing a serious platform issue on Shopify that is actively damaging our business operations.

A card testing bot attack is generating hundreds of fraudulent abandoned checkouts every day, and Shopify currently provides no way to remove them from the system.

This has made our abandoned checkout data essentially unusable.

What Is Happening

Bots are targeting our store to test stolen credit cards.

The attack pattern is consistent:

• Bots create new customer accounts with different email addresses each time
• They target newly added $5 products
• They rapidly create checkouts and abandon them
• This repeats hundreds of times per day

Each attempt creates a permanent abandoned checkout record in Shopify.

Shopify’s Security Is Not Stopping It

We have already enabled every recommended Shopify protection, including:

• Google reCAPTCHA
• Shopify fraud detection
• Shopify Flow automation

Yet the bots still reach the checkout stage.

Fraud detection only flags completed fraudulent orders, but it does nothing to stop checkout creation.

The Biggest Problem: Shopify Won’t Let Merchants Delete Abandoned Checkouts

Even when these are clearly bot-generated, Shopify provides no way to remove them.

Not through:

• Shopify Flow
• Admin tools
• API access

This means hundreds of fraudulent records remain permanently in the system.

The Business Impact

This attack is creating serious operational problems:

• Hundreds of fake abandoned checkouts polluting our data
• Legitimate abandoned carts buried in bot noise
• Staff forced to manually sort through bot activity
• Abandoned cart recovery becoming unreliable

For a platform we pay significant monthly fees for, basic bot protection should prevent this from happening.

What Shopify Needs to Fix

At minimum, Shopify should immediately provide:

1. Server-side bot blocking for high-frequency checkout attempts

2. The ability for merchants to delete abandoned checkout records

3. Stronger checkout verification before abandoned checkouts are created

Right now, merchants are paying for a platform that allows bots to generate unlimited fake checkout records with no cleanup tools.

This Needs an Engineering-Level Fix

This is not a store configuration issue.

This is a platform vulnerability.

Until Shopify addresses it, merchants remain exposed to card testing bot attacks that corrupt critical store data and waste operational time.

We hope Shopify engineering takes this issue seriously and implements a solution quickly.

welcome to the club, bots have been testing cards on my site daily since june 2025

Obviously it’s not really a problem for Shopify as a company. The more fraud that happens, the more fees they collect. The more you shell out for apps, the more fees they collect. To help you sort it out would severely hurt the bottom dollar.

Have you checked to see where your bot traffic is originating from? (IP Address?)

I don’t have a Shopify store, but I regularly check my GA to see where I am getting traffic from. I have seen an uptick from Nigeria. I also see they are trying to use Social Logins to access my site. Facebook flags it, and requests a user data delete.

Transactional data (even abandoned ones) is generally immutable for audit, compliance, and security forensics. Instead of a delete button that which could allow malicious actors to hide their tracks or disrupt accounting; try the industry standard is to provide robust filtering, tagging, or archiving tools to separate clean data from bot noise. Native e-commerce tools are rarely sufficient against sophisticated, distributed botnets. You need to look into necessity of routing traffic through a dedicated WAF like Cloudflare, or integrating specialised bot-management software.