Widespread Fraud Bot Using Shopify Checkout to Test Stolen Credit Cards (John Doe / Failed Payments)

Shopify Discussion

Topic summary

Merchant reports a large-scale card-testing bot abusing Shopify checkout, sharply escalated in recent days, generating thousands of abandoned checkouts under “John Doe” with repeated failed/attempted payments.

Observed pattern:

  • Unique emails/addresses per attempt; rotating IPs via proxies/VPNs.
  • Multiple failed payment tries; some fraudulent orders slip through.
  • Checkout exploited as a credit card testing endpoint (testing stolen card details).

Mitigations tried (ineffective at source):

  • Shopify Flow (automation), hCaptcha (bot challenge), manual rules, and third‑party apps. These only reduce downstream damage.

Critical collateral impact:

  • Abandoned checkout emails to disposable addresses cause high bounce rates.
  • Damaged sender reputation harms all transactional/marketing email deliverability.

Broader platform risks:

  • Domain/payment reputation, chargebacks, and processor scrutiny.
  • Customer trust/brand harm; corrupted analytics and ad optimization.
  • Operational burden from manual review/cleanup.

Requested platform-level action by Shopify:

  • Velocity/behavioral detection at checkout, card-testing pattern recognition.
  • Platform-wide fraud signatures and network-level blocking.

Status: Ongoing and escalating. No resolution; calls for urgent Shopify engineering/fraud-prevention intervention rather than merchant-side configuration.

Summarized with AI on December 23. AI used: gpt-5.
1

We are experiencing the same issue many others have mentioned here, and it has been ongoing for months. In our case, it has sharply escalated over the last few days.

We now have thousands of abandoned checkouts created by a clear fraud bot pattern, most using the name “John Doe”, with failed or attempted payments attached. These are not real customers. This is a card-testing operation using Shopify’s checkout infrastructure.

Key characteristics:

  • Different email addresses and shipping addresses on every attempt

  • Rotating IPs via proxies/VPNs

  • Repeated failed payment attempts

  • Some fraudulent orders successfully pass and must be manually caught

  • Checkout is being abused as a credit-card testing endpoint

This is not something merchants can stop on their own.

We have implemented everything available to us:

  • Shopify Flow

  • hCaptcha

  • Manual fraud rules

  • Additional app-based protections

None of these stop the attempts at the source. At best, they only help us mitigate damage after the fact.

Additional critical impact: email and domain reputation

These fake checkouts also create a serious email deliverability problem:

  • Abandoned checkout emails are sent to bogus or disposable email addresses

  • This results in high bounce rates

  • High bounce rates damage sending reputation

  • Damaged reputation impacts all transactional and marketing emails, including legitimate order confirmations and customer communications

Merchants should not be penalized at the email infrastructure level because Shopify checkout is being abused by fraud bots. This is another example of real, downstream harm caused by an issue merchants cannot control.

Why this is a serious platform-level problem

This goes far beyond abandoned carts:

  • Domain and payment reputation risk
    Card testing activity increases chargebacks and processor scrutiny for innocent merchants.

  • Customer trust and brand damage
    Shopify-hosted stores are being used as fraud tools against cardholders.

  • Analytics and reporting corruption
    Fake checkouts destroy conversion data, funnel accuracy, and forecasting.

  • Advertising performance degradation
    Polluted conversion signals negatively affect paid ad optimization.

  • Operational burden on merchants
    Manual review, cleanup, and monitoring cost time and money.

The core issue

Merchants do not control Shopify’s checkout at a server or network level. This type of abuse can only be stopped by Shopify through:

  • Velocity and behavior detection at checkout

  • Card-testing pattern recognition

  • Platform-wide fraud signatures

  • Network-level blocking

This is not a merchant configuration problem. It requires Shopify engineering and fraud prevention intervention.

This issue has been reported repeatedly on this forum. It is known. It is ongoing. And it is escalating.

Shopify has a responsibility to protect its merchants from having their storefronts and domains used as part of a large-scale credit card fraud operation. Continuing to shift mitigation onto merchants damages trust in the platform.

This needs immediate escalation and a real fix at the platform level.

1 Like
Need help: fraud expired payment order
2

Thank you for outlining this issue so clearly. What you are describing aligns with known automated card-testing and fraud activity targeting checkout infrastructure, not genuine customer behavior.

You are correct that merchant-level tools such as Flow, CAPTCHA, and third-party apps can only mitigate impact after the fact. Merchants do not have access to the network-, velocity-, or behavior-level controls required to stop this type of abuse at the source.

We also acknowledge the downstream effects you highlighted, including payment risk, corrupted analytics, degraded ad optimization, operational burden, and especially email and domain reputation damage caused by fraudulent abandoned checkouts. Merchants should not be penalized for reputational harm resulting from abuse of platform-hosted checkout systems.

This issue has been escalated to the appropriate fraud prevention and engineering teams. Addressing card-testing and automated abuse requires platform-level detection and enforcement, and Shopify recognizes its responsibility to protect merchants from this activity.

Thank you for raising this and contributing to ongoing efforts to strengthen platform-wide protections.

3

The email reputation impact is also very real and often ignored. Sending abandoned checkout emails to fake or disposable addresses drives bounce rates up, which hurts your domain reputation and can affect legitimate transactional and marketing emails. Merchants shouldn’t be paying that price for something they can’t control.

Until Shopify addresses this at the platform level, the only real mitigation is early fraud detection and automation. Tools like Fraudless (real-time risk scoring, card-testing pattern detection, auto-tagging or canceling risky orders) and NoFraud (fraud decisions with chargeback protection) can reduce how many fraudulent attempts slip through and cut down manual review. They’re not perfect — the root issue is still checkout abuse — but they do limit the damage.

This is a Shopify-level problem, not a merchant mistake. The more people call it out publicly, the harder it is to ignore.

1 Like
4

Hey @ShopGirl1! Thanks for sharing this — it clearly explains the issue and the real impact it’s having. Hopefully this helps bring more visibility and leads to a proper solution.

1 Like
6

Apps only block bots at your website, NOT checkout

1 Like