← back to list

My shopify store just got wrecked overnight with 25k fraudulent charges

★★★ signal-strong   r/shopify  ·  ↑ 161  ·  💬 151  ·  2026-03-25  ·  kw: hours every day  ·  open on reddit ↗
your rating:
Tool
Shopify, ChargeFlow
Issue
Fraudulent account takeover via cookie-stealing malware (Umbral Stealer) bypassed 2FA, opened $30k credit line, charged $25k in fake bulk orders to drop addresses within hours, triggering account freeze and blocking legitimate orders for a store doing $8k/month.
Cost
$25,000 in fraudulent charges + lost revenue from frozen account + potential refunds
Recommendation
ChargeFlow (chargeback automation and evidence gathering)
Date context
2026-03-25; references Duet Night Abyss malware incident from recent patch
extracted with
anthropic/claude-haiku-4.5 · 2026-05-08

Body

Woke up this morning to my inbox completely buried under thousands of spam emails. promotions for random craft fairs in europe, luxury brands i never signed up for, newsletters piling up so fast i could barely scroll. thought it was just another bot attack and started deleting in bulk but something felt off so i paused and actually searched for shopify. buried like 400 emails deep were three critical ones i almost missed. one said a recovery code was used to log in. never requested it. another welcomed me to shopify credit which i definitely did not apply for. and the third had financial disclosures for a new line of credit. heart just stopped. logged in immediately and there it was. someone had opened a 30k credit line in my stores name and already racked up 25k in fraudulent charges for fake bulk orders to drop addresses. all within hours. i have 2fa on everything. authenticator app not sms. changed all passwords locked everything down reported to shopify support right away. they say investigation could take 90 days and charges might get reversed but the account is frozen now for suspicious activity which is insane because the hack already happened. other merchants are messaging me saying same thing happened to them. spam flood to hide the real notifications. this store was finally hitting 8k a month after a year of grinding products testing ads building trust. now everything paused customers emailing why site down potential refunds piling up. cannot even process real orders. feel like throwing up. how does this even happen with 2fa. is there any way to speed up shopify disputes or recover faster. anyone been through this nightmare and clawed back. please tell me this is recoverable before i shut it all down.

Top comments (9)

[score=1] AutoModerator
To keep this community relevant to the Shopify community, store reviews and external blog links will be removed. Users soliciting personal contact, sales, or services in any form will result in a permanent ban. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/shopify) if you have any questions or concerns.*
[score=36] Mamas_Bad_Kitty
I would make sure to put a freeze on your credit immediately and notify all credit bureaus of said transactions.
[score=21] Purple-Path-7842
You a gamer by chance who played Duet Night Abyss? They just had a malware included in a patch because someone hacked their system, it's called Umbral Stealer. Either way, something like Umbral can get around 2fa by taking the cookies off your web browser and logging in with them. Umbral Stealer is open source, so it could be included in anything you download and it sends them your cookies via a discord webhook, so basically a message in a server the "hacker" would have. More than likely, this is the type of method they used because cookies is the main way to get around 2fa/mfa.
[score=19] [deleted]
[removed]
[score=7] Visible_Donkey_7130
Ugh this nightmare is too real. i went through a fraud mess with my shopify setup a while back, charges racking up before i knew it. ended up using charge flow to handle the chargeback recovery and it actually helped automate a lot of the evidence gathering, got some money back way sooner than waiting on support alone. their ai stuff pulls together the proofs without you chasing everything manually. not saying its a fix all but it eased the pain. with your 25k hit, have you checked out anything like that for speeding up the disputes on those bulk orders?
[score=7] link30224
You got me paranoid ima check that now
[score=7] Awkward-Chemistry627
Reading this just made my stomach drop. back in March, paypal flagged my account for suspicious transactions and froze every payout right when i hit a run on orders for a popular product. i remember scrubbing through page after page of nonsense emails trying to find the one message that actually mattered.
[score=7] RubberReptile
Do you have business insurance? Some plans have coverage for this type of attack. 
[score=6] GeneralTBag
I’m SO SORRY this happened to you. Sounds like you did everything right and still got dinged. Do you think your phone has been hacked or something to be able to access the Authenticator?