Where is this customer (a scammer) coming from?

Shopify Discussion

Topic summary

Issue: A hidden $0.00 “free gift” product (seo.hidden) was exploited; an actor repeatedly added it to cart and checked out. Conversion logs show first touch at /checkouts/…/thank_you or /shop_pay, with only 15–20 seconds on-site, and no session replays triggered.

Assessment: Likely a bot using Shopify’s AJAX API (adds items to cart via HTTP calls without loading storefront pages), possibly behind proxies, making source attribution difficult.

Actions taken: Removed Buy buttons from the product page. After extensive log review, confirmed bot activity with telltale email patterns. Switched back to double opt-in for emails, which helped reduce abuse.

Planned/desired measures: Would like CAPTCHA support in Klaviyo (email platform) to deter automated signups. Plans to implement a “honeypot” (hidden form field that flags bots) on Klaviyo forms using available tutorials.

Status: Partially mitigated; underlying cause understood (programmatic cart adds). Further anti-bot hardening pending; discussion remains open for additional defenses.

Summarized with AI on December 24. AI used: gpt-5.
1

I had a $0.00 item in my store. It was hidden (seo.hidden) and it was being fulfilled with an app so that when a customer bought $100 worth of items, the app added this free gift to their cart. It’s been working great .

However, recently, someone was able to add a bunch of the free items to their cart. I’ve since removed the BUY buttons from that item’s product page, but they came back again today and were able to buy more of them.

What’s interesting is that in the conversion details of the order, the very first page they are landing on is /checkouts/xxxxx/thank_you or /checkouts/xxxxx/shop_pay. They are only on the site for about 15-20 seconds. My site replay tool (that shows user clicks) never activates because they aren’t really on the site.

I thought maybe they were coming from an abandon browse email, but I don’t think that’s it. Then I thought that maybe they were coming from a product review, but I don’t think that’s it either. Or, maybe they got the product legitimately through the promotion I was running, and they were able to click on the free item in their receipt or shipping notification. I’m totally baffled.

Somewhere they are adding this item to the cart and only dropping onto the Shopify site for a very short amount of time to complete checkout.

Any hints / guesses / suggestions would be greatly appreciated.

2

It’s a bot. It probably uses the AJAX API to add products to the cart. So it doesn’t actually need a browser window, which is why you can’t see them in site replays.

As for where they’re coming from, there’s likely no way to know, as it’s probably using a proxy to hide its IP.

1 Like
3

Well, after lots and lots of combing through the entries, it definitely looks like it was a bot. There were also some tell-tales signs in the email addresses used. We even up going back to double opt-in and that helped a lot. Two things would be even better…

  1. I wish Klaviyo worked with captcha. I think that would stop some bots.

  2. I want to play around with a honeypot. While that won’t stop the bots, it will make it a lot easier to identify the spam form submissions. There are some online tutorials for Klaviyo honeypot builds, I’ll try them when I have a moment.