We had the exact same problem. Spambot ordering $0.00 items that they should not have had access to as you have to be approved to order on our site. We changed all the 0 items to .01 and it seems to have stopped.
We wee very concerned that shopify said there was nothing they could do about it. Makes me wonder what other back end information is vulnerable.