Title: 2,066 bot accounts created in my store using okhttp/5.3.2 — Shopify declining platform-level fix

Hi everyone,

I run a digital sheet music store on Shopify and wanted to share what I’ve been dealing with over the past several weeks in case others are experiencing the same thing.

Since January 2026, a bot has been systematically creating fake customer accounts in my store. Here is what I know about it:

The bot uses the user agent okhttp/5.3.2, which is distinct from the legitimate Shopify integration user agent okhttp/3.14.1. It rotates through a fixed pool of exactly 15 fake name pairs (Emma Smith, Alexander Rodriguez, James Bond, etc.) with bot-generated emails across gmail, outlook, hotmail, yahoo and icloud. It creates customer records with no associated orders, hitting the customer creation endpoint directly and bypassing the checkout flow entirely. As of today it has created 2,066 fake accounts, which is 56% of my entire customer database.

I have an open high-priority ticket with Shopify engineering (ticket 65542765). Their findings confirmed the bot signature and acknowledged it is part of a wave targeting multiple stores. However their position is that they cannot block a specific user agent at store level, and a request for escalation to Merchant Success was declined. The recommended solution is to purchase a third-party app.

My concern is twofold. First, a clearly identified bot signature that is hitting multiple stores is a platform issue, not a per-store issue. Second, most merchants without technical knowledge would never identify this or get this far with support. They would simply have their CRM silently polluted with no explanation.

Has anyone else seen the okhttp/5.3.2 signature in their store? And has anyone had success with Shop Protector or Negate stopping it?

The fact that Shopify engineering confirmed the signature, acknowledged it’s hitting multiple stores, and still won’t block it at platform level is really frustrating. You did the hard part already by identifying the exact user agent and pattern.

A few things that might help in the meantime:

For cleanup, you can use Shopify’s bulk customer actions. Create a customer segment filtering for customers with 0 orders, then bulk select and delete. If 2,066 is too many for the UI, the Admin API’s customerDelete mutation works in batches. There are also bulk delete apps on the App Store if you want to skip the API route.

For prevention going forward, Shopify Flow has a “Customer created” trigger. You can build a workflow that auto-tags any new customer with 0 orders created by a non-standard source, then review and bulk delete tagged accounts weekly. Won’t stop the creation, but it keeps your CRM clean without manual work.

You might also want to check the other thread here about Chinese bots destroying merchant data. It has 16+ replies and over 1,600 views, so there’s clearly momentum around this issue. The more merchants reporting with specific technical details like yours, the harder it is for Shopify to keep punting.

One more thing: if you haven’t already, try reaching out via @ShopifySupport on X with your ticket number. In my experience the social team escalates faster than regular support channels.

Have you noticed if the bot creation rate is consistent or if it comes in waves?

Yes, several Shopify merchants have the same issues. You have to connect to the Shopify support system (maybe they have a better solution for merchants), problem with sourcing, this is the only solution.

I’m honestly relieved to see this because I’ve been dealing with the exact same thing all week—and it’s been incredibly frustrating.

Shopify has sent me in circles, pointing fingers at every third-party app I use. I’ve spent days disconnecting integrations like Klaviyo, Triple Whale, and others, only to be told again and again that a third party must be the cause. But the accounts being created don’t link back to anything—no form submissions, no identifiable URLs, no activity trail whatsoever.

In the past week alone, I’ve had thousands of new accounts created, all following the same pattern: generic first and last names paired with emails like [email removed] None are subscribed to marketing, none have placed orders, no abandoned carts—nothing. Just ghost accounts appearing out of thin air.

Even after removing all integrations, the issue continued. Shopify then had me install Blockify, where we identified a major spike in traffic from China tied to these accounts. I upgraded, enabled country blocking and VPN blocking… and it still didn’t stop.

At that point, I was basically told those measures aren’t reliable and that my only option is to create a flow to delete the accounts. But that’s not nearly as simple as it sounds—filters can only be so precise, and real customer accounts inevitably get caught in the mix. So now I’m stuck manually cleaning things up on top of everything else.

Under normal circumstances this would already be a headache, but I have an investor meeting next week, and this is completely skewing my metrics. My conversion rate has tanked because of the traffic spike, customer account numbers are inflated with fake users, and it’s impacting email performance if any slip into lists. Trying to segment and manage this across Shopify and Klaviyo has been incredibly time-consuming.

What’s most frustrating is that this seems to be a known issue, yet there’s no real solution—just a lot of deflection and “nothing we can do.” It’s wild.