Tons of bots creating and abandoning carts

Shopify merchants are experiencing widespread bot attacks creating fake abandoned carts and customer accounts, severely corrupting analytics and conversion metrics. The bots use rotating IPs (18,000+), bypass traditional captcha and bot protection apps, and trigger cart events directly through backend APIs rather than the storefront UI.

Key characteristics of the bot traffic:

• Email patterns: names followed by three numbers (e.g., allen690@yahoo.com)
• Common fake address: House Number 43, Gray Colony, Bellevue WA 98006
• Customer creation source shows as “Shopify App”
• Thousands of fake profiles daily since November 2024
• Corrupts Klaviyo email marketing data with bounces and fake checkout events

Shopify’s response:
Merchants report that Shopify support, including Plus-level support, has been unhelpful—recommending ineffective app-based solutions rather than implementing platform-level fixes at the Cloudflare WAF layer.

Proposed solution:
Some users implemented third-party WAF solutions (Akamai-based) that sit in front of Shopify as an origin-to-origin CDN layer. One user promotes “Armex: Block Checkout Bots” app as a working solution, though other merchants express skepticism about its legitimacy and connection to similar apps. One merchant reports DNS errors after installation.

Status: Ongoing issue with mixed reports—some seeing temporary relief, others experiencing continued attacks. Community frustration with Shopify’s lack of platform-level action remains high.