THE TEARDOWN
How coordinated bot campaigns are quietly draining Shopify stores: what it is, what it costs you, and what actually works
In November 2024, a Shopify community thread popped up with a title that seemingly sounded like a list of random names: “Another wave of $0 bot orders - Hudson Chin, Emma Metcalf, H W.” The poster had been running two stores when they started to receive waves of orders, all totalling $0. The thread stayed active through early 2025, with new operators reporting the same names, new variants and fresh bot emails as of late January.
The wave is still active. So if you’re running a Shopify store with any third-party apps that control product variants or pricing, you’re potentially exposed.
Bots hit your checkout before your pricing app even has time to load. Because Shopify’s base product can have a $0 price while the app normally overrides it at display time, the bot bypasses that override entirely and submits a legitimate-looking checkout at zero cost, and so Shopify processes it as a real order.
The real damage isn’t the $0 order itself. It’s what comes after: your abandoned cart flow fires on fake emails, inventory gets held against fake demand, your analytics get polluted with ghost conversion data, and if you're on automatic payment capture, you're paying transaction fees on orders you'll have to manually cancel and void.
The original poster had tried the obvious fixes we might all try. hCaptcha was already on and didn’t stop it. Shopify’s native Fraud Filter app was discontinued, and can no longer create new rules. Scripts editor has also been discontinued (Plus only, $2,300/mo). Forced logins before checkout worked to stop the bot orders, but it killed conversion rates. Shopify Plus bot protection is $2,300/mo.
Unfortunately none of the native tools available on standard plans fully prevent these orders from being placed. But here’s a reframe to consider: you don’t need to prevent them from being placed. You just need to prevent them from costing you anything.
The full defense stack costs nothing, takes 30 minutes, and uses only tools already built into your Shopify plan.
THE HOW-TO
This isn’t a single fix. It’s a layered defense where each step addresses a different gap, so make sure to do all 4.
Switch to manual capture payment. Go to Settings → Payments and in the ‘Payment capture method’ section, change “Automatically capture payment” to “Manually capture payment.” This is the single most important step in the stack. With the automatic capture, every bot order would cost you a transaction fee before you even noticed. With manual capture, every payment is only authorized, not charged, until you release it. You can cancel fake orders without paying a cent or triggering a refund. Shopify Flow can then auto-capture payment on orders that pass fraud checks, so legitimate customers are unaffected.
Install the “Capture payment if order is not high fraud risk” Flow template. Go to Apps → Flow → Create Workflow → Browse templates → Risk. Install this template. It uses Shopify's built-in fraud analysis to auto-capture payment on low and medium-risk orders, and leaves high-risk orders sitting for manual review. One thing to look out for is this workflow must use the ‘Order risk analyzed’ trigger, not ‘Order created’. Fraud analysis takes time to process after an order is placed, so triggering it on creation means the risk data isn't there yet. The template handles this correctly by default.
Install the "Cancel and tag orders from known bad email addresses" Flow template. Same path as last step: Browse templates → Risk. Once you see the bot email patterns like the names, the yahoo addresses, the obvious fakes: add them to this template's blocklist. It automatically cancels and tags any future order from those addresses. Shopify acknowledges this is easy to work around (bots just rotate email addresses), but it interrupts automated fraud campaigns that reuse the same addresses across multiple stores. This isn’t a complete fix on its own, but you’re definitely raising the cost of the attack.
Install the "Cancel orders if customer places more than 5 orders in a day" Flow template. Same path again. This catches volume-based bot patterns: the same email or customer account hammering your store repeatedly. It auto-cancels and tags the customer for potential fraud. Adjust the threshold if your store has legitimate high-volume buyers, but 5 orders per day from a single account is a reasonable default flag for most stores.
One thing to do after setup: Go to Settings → Checkout → Address Collection and confirm "Validate shipping address" is on. This won't stop $0 bots specifically, but it adds friction to checkout automation generally, and it's a simple one toggle fix.
One honest limitation: this stack stops the bleed, such as transaction fees, inventory holds, fake analytics, cart flow triggers. However, it does not prevent the orders from appearing in your admin entirely. That requires Shopify Plus or a paid bot-protection app. For a store at the early stages, stopping the financial damage is the right goal. The ghost orders in your admin are annoying but harmless once the defense stack is running.
THE SCAN
A few things worth knowing this week
Shopify Flow got a major upgrade in 2025. Sidekick (Shopify's AI) can now build Flow workflows from a plain-language description. Simply type what you want automated and it generates the trigger, condition, and action. If you haven't opened Flow in a while, it’s definitely worth revisiting.
The Fraud Filter app is officially dead. Shopify unfortunately discontinued it and is no longer accepting new installs. If you were relying on old Fraud Filter rules, verify they're still active and migrate the logic to Shopify Flow before they stop working entirely.
Gorgias AI costs $0.90–$1.00 per automated resolution on top of your base plan ticket cost, and that automated ticket also counts against your monthly ticket quota. Operators are calling this double-billing. If your support volume is growing, model out what this costs you at 500 and 1,000 resolutions/month before you scale the AI features up.
MESA has a free Flow template specifically for flagging $0 orders as risky. If you want a more targeted trigger than Shopify's general fraud risk analysis, it's worth looking at. It’s free on the Shopify App Store.