I’m going by what I’ve been told by all the “ship protector” apps I’ve been talking to for help on this. The bots find a way. There’s got to be a reason why it’s looking for free products. But I’m lost too.
As far as your apps the only ones we have in common are rewind and klaviyo. And doubt it’s any of those…. Seems like it’s a Shopify vulnerability. And it started on Jan 25 for me too. Oh, and if it’s targeting free products maybe we need to price these products at $.01 to get rid of James James?
Topic summary
Shopify merchants are experiencing widespread automated bot attacks creating fake abandoned carts and fraudulent orders. The primary bot, nicknamed “James James” (email: sfj9usfhuios@gmail.com, San Antonio CA location), has been active since late January 2025, generating 10-20+ abandoned checkouts daily per store.
Attack Pattern:
- Initially targeted free ($0.00) products with abandoned carts
- Evolved to completing purchases using names like “Will Will,” “Tyler Tyler,” “Yezeus Yezeus”
- Each checkout uses different IP addresses, emails (often @rtremail.com or @yopmail.com), and personal details
- Recent reports indicate bots may be changing product prices to $0.00 and testing stolen credit cards
- Attacks occur in waves, roughly every 4-12 hours
Root Cause (per user investigation):
Discord communities use bots to scan Shopify stores en masse for free products, then share listings with members seeking to exploit pricing errors or claim free items.
Merchant Impact:
- Thousands of fake customer profiles created
- Skewed analytics and conversion rates
- Email marketing platforms (Klaviyo) flooded with fake profiles
- Credit card processing fees on fraudulent transactions
- Some merchants reporting 50,000+ fake profiles
Attempted Solutions (largely ineffective):
- Deleting customer accounts (recreated immediately)
- Activating reCAPTCHA (bypassed)
- Third-party blocking apps (circumvented as bots don’t visit storefront)
- Removing/pricing free items (temporary relief only)
- Draft mode for targeted products (currently most effective)
Shopify’s Response:
Merchants report inadequate support—chat agents suggest basic solutions (delete customers, install apps) that don’t address the backend vulnerability. Shopify acknowledged the issue to some merchants, attributing it to “third parties taking advantage of publicly available free products,” but provided no timeline for fixes. A temporary 1-hour “bot protection” feature rolled out to Shopify Plus stores only.
Current Status:
Ongoing and escalating. Merchants express frustration at Shopify’s inaction, with some considering leaving the platform. The vulnerability appears to be in Shopify’s checkout system itself, allowing bots to create checkouts without actually visiting storefronts.