Shopify Bot Exploit – Add-to-Cart Abuse Is Corrupting Analytics & Shopify Refuses to Act at Platform

A sophisticated bot exploit is targeting Shopify stores by generating massive fake add-to-cart activity through 18,000+ rotating IPs that mimic legitimate browser behavior. The attack corrupts analytics, inflates ad spend, damages email deliverability through fake customer accounts, and disrupts marketing attribution—issues that cannot be resolved by third-party apps since they operate after requests hit Shopify’s infrastructure.

Merchant Workarounds:

• Creating Shopify Flow automations to auto-delete fake accounts based on patterns (empty names, specific fake addresses)
• Segmenting bot profiles in email platforms like Klaviyo to protect sender reputation
• Adjusting Google Ads strategies to manual campaigns due to corrupted conversion data
• Some merchants deployed Armex firewall app with mixed results—effective bot blocking but reports of site slowdowns and accessibility issues

Core Issue:
Merchants argue only Shopify can solve this at the Cloudflare WAF level, but the platform has refused to intervene, directing merchants to inadequate app-based solutions. Multiple affected merchants express frustration with Shopify’s inaction and mention potential collective legal action for negligence.

Status: Ongoing problem with no official platform-level solution. Merchants continue sharing mitigation strategies while calling for Shopify infrastructure team intervention.