Shopify
Stores Part of Shopify
Shopify is an eCommerce system utilized by many smaller shops. Notable stores utilizing this system includes
A Ma Maniere
BBC
Cncpts
DSM
DTLR
Haven
Kaws
Kith
Livestock
Notre
Shoe Palace
Shop Nice Kicks
Supreme
Undefeated
Union
Top Supported Bots
Makebot
ValorAIO
Cybersole
Alpine
Profiles
Shopify stores are independently managed. This means that there is no one set of guidelines that will apply for every store. Each store will look for different things when filtering orders, and can cancel your orders at their own discretion. Additionally, many of these stores are small and have the time to do independent fraud reviews.
Name
Random first, random last name
Sometimes okay to reuse last name, but to avoid easy filtration best to use a random last name if possible.
Address
Using real address registered to card helps best to avoid cancellations.
For multiple orders, typically you'd want to jig your address slightly to get around automated filtration for duplicates.
For Line 1 of address, try to use methods such as:
Slight Misspellings
Modifying Street Suffixes - Street suffix abbreviations can be found here - https://pe.usps.com/text/pub28/28apc_002.htm
Random Characters
Line 2 is not necessary to jig normally. However, if you do live in an apartment, etc. that requires this, then you can change the wording up slightly.
Example - Apartment to apt, aprtmnt, etc.
Some stores use advanced jig filtering methods such as Kith. For these types of stores, it's best to use multiple addresses if possible to avoid cancellations.
Jigging address can show up as a red flag on Shopify's default fraud analysis for your order.
Cards
Most cards work for Shopify sites, including :
American Express Employee Cards
Amex Extend
Capital One Eno (Visa and MC)
Hard Cards
Privacy
Revolut
Slash
Stripe Issuing
Tradeshift
Reusing the Same Card
It is not advised to reuse the same card across multiple profiles/checkouts. This is an easy way to filter your orders.
Sharing Virtual Cards/Merchant Locks
It is best to not try to share virtual cards such as Eno/Privacy accross multiple sites. While they can be shared between some sites, it depends on the payment processor name and will lead to inconsistent results.
Mismatching Zip Code
Using a zip code that is not registered to the card shows up as part of the fraud review and can lead to your orders being cancelled. While this varies from store to store, it's best to avoid doing this.
Email
Real emails are highly recommended over catchall domains
Catchall domains are an easy way to filter orders and can show up in fraud reviews.
It's best to keep a unique email per order to avoid duplicate order filtering.
Phone Number
Random Phone Number with Real Area Code
Matching Shipping and Billing
Shopify stores do independently review orders for chances of fraud/duplicate orders.
Using mismatching information can lead to orders being automatically cancelled or cancelled during a manual review.
While you can get away with it at some shops, it will lead to inconsistent results overall and not recommended to do if possible.
Checkout Limits
Most stores have a one checkout per person limit.
To get around this, you'll want to use different information in each of your profiles
Task Per Profile Limit
It is not recommended to reuse profiles for tasks on Shopify, especially on sites you preload checkout sessions.
Shopify can rate limit (429) your purchase attempt for a small period of time if it detects the same info being used multiple times in preloaded sessions.
If possible, use unique info per task with different card, address and email.
Cancels and Shopify Fraud Analysis
Most cancellations on Shopify are handed the reason as fraud.
Each Shopify site operates independently and will not cancel for the same reasons as each other.
Below you can find some of the characteristics of an order that Shopify allows each individual store to see. Certain traits of an order can show up as a fraud indicator. Shopify provides a fraud analysis for each order to each individual store that they can use to determine if an order should be canceled or not. Some traits of the order than Shopify can flag for fraud are shown below:
Visit the following URL for more information -
https://help.shopify.com/en/manual/orders/fraud-analysis#view-the-fraud-analysis-for-an-order
In addition to the above, there are third-party fraud apps available to each Shopify site for fraud prevention from the Shopify App Store. These can show separate fraud indicators and recommendations that will show up with Shopify's fraud analysis for each order that go beyond what the standard indicators Shopify provides are. Examples of these third-party apps can be found here.
Common Cancellation Reasons
It’s difficult to give a blanket explanation of Shopify store cancels for this reason.
In general, the most common Shopify fraud indicators that are available for individual stores to see and potentially flag can be from the following:
Checkout IP location is too far from the shipping address. Using VA proxies while shipping to CA for example may be a red flag for some stores (most won’t cancel for this). Some DC proxies may not have had their geolocation information updated if they are new IPs. This means that even though your proxy is located in VA, in some databases out there it could show up as being located in Ukraine still for example. Your proxy provider will need to update this if this is confirmed to be an issue.
The checkout IP/proxy is a known dc proxy that is likely to be associated with a bot order.
A catchall domain was used for the order. It’s best to stick to real emails in general for shopify.
A virtual card was used for checkout and the store is unable to verify certain details about it.
Reusing the same profile information for multiple checkouts.
Not changing enough information up in between profiles with successful checkouts. Some sites use strong address filtration that is really hard to bypass outside of just using separate addresses per order such as Kith. For the best way to avoid this, use separate addresses in your profiles.
Address modifications such as four letter jig. Try to keep addresses as legitimate as possible for some sites.
If the website requires accounts, it can be helpful to use accounts that have purchase history on it to the same address being shipped to for a hyped release. Additionally, try to match account login email for that site to your checkout profile information.
Keep in mind that individual stores can set third-party fraud apps on their stores that can cancel for different reasons. For example, the picture below shows one called Shop Protector that would automatically cancel suspected bot-based checkouts based on human presence, and the bot devs themselves will have to bypass this detection to not get automatically cancelled.
Each Shopify site will cancel you for different reasons. Sticking to the guidelines above is the best way to avoid cancellations on most major sites. It’s difficult to make an all-in-one type profile guide for Shopify for that reason.
In cancellation emails, you’ll often see that it was canceled for the reason of being a suspected fraudulent checkout. It’s easy to think that all of these are in relation to antibot measures each store uses. However, there is a legitimate fraud concern involved regarding potential chargebacks in the future if someone was in fact using stolen information, and the original owner has to chargeback, which would cause the store to lose money. Realistically, there’s no reason for someone doing a legitimate checkout with a known internet proxy in most cases, or if you’re using an IP address located in Russia while you’re shipping to the United States for example.
As most Shopify stores are small in size and don’t handle tons of order volume as Nike for example, it’s easier for these stores to do a manual review of your order before fulfilling it. Some stores seemingly do in fact conduct a manual review of your order before shipping, which is why you will often see cancels go out either hours or days after the initial order is placed. Keep this in mind when creating your profiles and determining which proxies you plan to use.
Monitor Inputs
Monitor inputs for Shopify will be either keywords, links or variants.
Keywords
Keywords are a simple way to have your bots pick up an item on a site. The bot will just search the site for items that match the keywords you have entered.
Positive Keywords - These keywords will be the ones you want the bot to pick up and attempt to checkout. For example, if you wanted to pick up a new pair of 350s dropping, +Yeezy,+350 would be a possible option.
Negative Keywords - These keywords will be the ones you don’t want the bot to pick up. For example, if you are running for Jordan 1 Purple, and the site has Jordan 1 Low Purple loaded as well, then your keyword set will look something like +Jordan, +1, +Purple, -Low.
Be sure to run a test task if possible with a fake profile on your keywords first to see if they will accidentally pick up the wrong product.
Links
Links are direct links to a product that you want to run. A simple example of this is shown below:
https://kith.com/products/kith-x-stance-2-0-classic-crew-sock-black
If a link is known for a Shopify site, then it is helpful to run as it is faster than keywords since it doesn’t have to spend time searching the site for keywords.
However, for most sites now, the link will not be 100% known or confirmed, and will often be guesses based on previous drops of similar items and just replacing expected colors associated in the link for that product.
If you don’t mind some tasks not picking up, you can run some link tasks for a faster pick up time, but since they are not confirmed, use at your own risk.
Variants
A Variant is a unique ID given to a specific item and size variation of that item. For sneaker botting purposes, a variant corresponds to a specific shoe and size.
For example, if you want the following pair of Air Force 1’s in a size 8, https://kith.com/products/nike-air-force-1-07-white and you know what the variants for that shoe are, then you could use the pulled variant for it, 22284437383, to instantly cart the item in your bot without it having to search the site for it. This would speed up checkout time since it’s able to pick up the specific item and size much faster.
Variants for a release will typically be given to you in the format of:
31630504493120 - 7
31630504525888 - 7.5
31630504263744 - 8
31630504329280 - 9
31630504362048 - 9.5
31630504230976 - 10
31630504394816 - 10.5
31630504296512 - 11
In this case, only the underlined portion of each line above is considered a variant. The size information next to it is simply for reference purposes so you know what size the variant corresponds to as each variant is locked to a specific item and size. If you wanted the size 7 variant, then you’d simply type in 31630504493120, 31630504263744 for size 8, etc.
Since variants are size locked, the size you select in your bot while creating a task will not matter, as the variant only corresponds to a specific size only and cannot be used for other sizes. Note that variants are not shared across each Shopify site, and each Shopify site will have unique variants for the item and size combinations.
If a variant is known for an item, it’s advisable to run them as they will be the fastest monitor input method to pick up the product. Additionally, if a variant is loaded on the sites backend prior to a drop, they can already be in checkout and ready to submit order before the drop even happens.
For most major sites, you will not know what the confirmed variants are, as sites have stopped loading them onto site until the actual drop to prevent scrapers from picking them up and giving botters an unfair advantage. Variants will be known for restocks however and are highly recommended to run.
Antibot
When a site is said to be using antibot, this means that your bot’s fast mode tasks won’t work, and you’ll need to use the safe mode options they give you. Additionally, you'll need to solve a form of checkpoint captcha and take things like proxy protection into account.
Checkpoint
Just like antibot, any site dropping hyped items will typically have this enabled during an initial drop or restock. While checkpoint is enabled, you will have to solve a captcha for each task for it to go to checkout after carting. There is no way to bypass this captcha or share a checkpoint captcha with other tasks.
Checkpoint captcha can be seen below. Once you cart an item and go to checkout, you will be required to solve this checkpoint captcha in order to move forward with checkout. Note that this captcha is different than captcha you’d see in checkout on the Shipping Contact information page, and some sites may require you to solve both checkpoint and checkout, or may not enable checkout captcha and only require you to solve checkpoint captcha.
This captcha can either be reCAPTCHA v2 checkbox or hCaptcha.
Many bots have automatic hCaptcha solving integrated into the bot's solvers. This does not apply to recaptcha based checkpoint captchas.
Checkpoint will never remain on 24/7, and typically will be turned off shortly after the drop is over.
Checkpoint going up randomly outside of drops indicates a restock is about to happen.
reCAPTCHA Checkpoint
It is advisable to use Gmails with high trust scores as is the case for any platform using reCAPTCHA. You will get easier captchas to solve during drop this way and may potentially avoid antibot errors this way.
You can harvest activity on Gmails for a high trust score with something like AYCD or Kylin If you don’t have any already, or use personal Gmail accounts that have daily activity on them for a long time. Aged one click Gmails from reputable providers may help you if you don’t already have good standing Gmails.
It is no longer possible to get one clicks for captchas while antibot is enabled during a drop. This is because Shopify raises their reCAPTCHA security preference to the most secure option as seen here (https://developers.google.com/recaptcha/docs/settings).
The best case scenario on Shopify is to get 2-3 click captchas, which would basically mean you only have to click 2-3 pictures to complete a captcha request.
Having Gmails with a high trust score loaded into your harvesters will help you with this and are required in order to get these captchas. You want to avoid multipage, vanishing, or very grainy captchas as these will slow you down while solving checkpoint by a considerable margin, and have a higher chance of hitting payment failed errors. You will get those on Gmails that aren’t high trust score.
HCaptcha Checkpoint
Has many different variations as of 2025. Sometimes starting with a question. The most common HCaptcha checkpoint is your typical 3x3 square of images that you have to select through. Usually 2-3 pages before you can proceed.
The second most common HCaptcha Checkpoint you will encounter requires you to draw a box surrounding the desired entity. For this challenge, you want to draw the box as tightly around the entity as possible. We find drawing a very small box at random, deleting it, then drawing the tight box around the entity consistently passes the challenge.
There are additional types of HCaptcha that have been appearing elsewhere and can make their way to Shopify. These include but are not limited to the following examples:
Sometimes HCaptcha Checkpoints will first ask a question before you can actually solve the challenge. Submitting the answer too quickly will flag you and require you to resubmit the answer. Answers are typically not case-sensitive.
One Click HCaptcha Checkpoints are not possible.
Servers are typically flagged by HCaptcha. It is generally preferred to run from your local machine. Double check if your server is flagged before a major release.
Solving an HCaptcha checkpoint too quickly can result in a flag, prompting you to try again. Even typing the question answer too fast will prompt a flag. The best practice for solving HCaptcha Checkpoints is to have multiple harvesters opened, initiating the solve for one while completely solving the other, alternating between the windows. Simply having the HCaptcha challenge opened counts as time toward solving the challenge. If solving a single HCaptcha, it is best to wait a few seconds before submitting the challenge, even clicking on and off of a wrong square is good practice too.
Early adoptions of HCaptcha were easily solved by utilizing AI programs such as AYCD AI. Unfortunately HCaptcha has been implementing very strict measures to hinder the effectiveness of AI software. This includes using fuzzier images, different and very specific wording, various modifications to traditional pattern recognition, and brand new challenges altogether. HCaptcha is always changing and adapting to new technology. Keep in mind that the challenges you are seeing today can very well change a few months from now.
Unlike ReCaptcha, you do not have to worry about a Gmail Trust Score for HCaptchas. Rather you should be more concerned regarding the quality of your session and connection. Use Local host (no more than 3 tasks) and high quality residentials in your tasks when dealing with HCaptcha releases. A server is not recommended for running localhost HCaptcha tasks.
You can demo HCaptcha challenges here.
Cloudflare
Recently, Cloudflare has been enabled on the majority of Shopify stores. The quality of your proxy / connection is extremely important for passing. Most of the time you will not see Cloudflare on the store, as it is only triggered when making a low-quality connection to the store.
If the store uses HCaptcha regularly, there is very high chance it has Cloudflare enabled.
Some bots will require you to solve Cloudflare Captchas, known as Turnstile, prior to a scheduled release. Unlike ReCaptcha and HCaptcha, you will not have to click any images to complete the Turnstile challenge. It is a one-click challenge that verifies the quality of your session, among other factors, before allowing you to pass.
This Turnstile captcha is also found on every Shopify Store's login page. A successful solve is required for each login. This captcha can sometimes be invisible (similar to ReCaptcha V3).
High-quality Residential Proxies such as Live Proxies are recommended for major Shopify releases that utilize both Cloudflare and HCaptcha.
You can demo Cloudflare's Turnstile Captcha here.
Number of Harvesters
I personally would recommend having at least 2-4 captcha harvesters open during Shopify drops. The more the better.
Most captchas will be checkpoint. You will want to sometimes have a harvester open and filtered for checkout captchas only in the event the store uses this. Once you see a checkout captcha pop up in your checkout harvester, immediately prioritize these over the checkpoint captchas you were solving. Checkout Captchas are becoming more common again, with some of them being HCaptchas as well.
Proxies in Harvesters
Shopify harvesters will use your task proxy for your solving IP instead of the IP you put into your captcha harvester in bot when logging in.
It’s important to use good task proxies while running for Shopify drops. You need to be considerate of using proxies that may potentially be flagged or not by Google.
This is one of the reasons why it is highly recommended to use localhost or ISP over residential proxies for ReCaptcha Harvesters. Residential proxies by design are just shared IPs from major providers like NetNut, Oxylabs, Smart, etc., and many of those residential proxies have been used for spam purposes in the past most likely and flagged by Google. High Quality Residential Proxies are still viable for HCaptcha harvesters as HCaptcha does not use Google's flagging.
Checkout Captcha
If checkout captcha is enabled during a drop, a captcha challenge will need to be solved in the first stage of checkout under Contact Information as shown below. Websites will sometimes not enable this captcha, but sometimes it will be enabled during a hyped drop. Many sites do not leave checkout captcha enabled all day and will only enable it around drop time.
AYCD Autosolve
AYCD Autosolve cannot directly be used to solve captchas for Shopify remotely.
You can use the Desktop AI solver however to solve captchas that appear on screen. This requires you to have an active AYCD Autosolve and AI Sub.
This will have to be ran on the same pc/server as your bot. It also tends to be a bit slower than manually solving, but can be helpful if you're away from your pc.
Proxies
The best proxies to use will depend on whether or not proxy protection is up.
If proxy protection is not up, then localhost and ISP are the best options.
If proxy protection is down, then localhost is best, and fast residentials if you want more tasks.
Proxy Protection
If a site is using this, this means that certain proxies will be blocked from both carting a product and from generating a checkout URL.
If this is enabled, you will need to use either unthrottled ISP proxies, residential proxies or localhost. Note that a proxy can ping fine to a site, but still be throttled and blocked from carting and going to checkout as mentioned above.
Most ISP are throttled and won't work, but some do exist out there that do.
Localhost
Localhost is a great option on Shopify since the vast majority of home IPs are unthrottled, especially on domain change drops.
Many run up to 2-3 localhost tasks now during a drop and have had good and consistent success doing so.
ISP
ISP proxies work well while proxy protection isn't up.
A lot of ISP are flagged on while proxy protection isn't up. If they are flagged, then they won't pick up any products or be able to get into checkout.
They will not typically work on domain change drops.
Residential Proxies
Residential proxies, while usually slower, and are recommended for most high-security Shopify releases. Think Domain Change, Proxy Protection, and HCaptcha Checkpoint releases.
Task to Proxy Ratio
Localhost - 2-3 tasks ideally
ISP - 1 task per proxy
Residential - 1-3 proxies per task in case some are dead. Static residential proxies only.
Additional notes
IP/proxy cannot change after passing queue. Doing so will either result in a requeue or payment failed error in checkout.
If botting Shopify you should be using both ISP & Residential Proxies.
Start Times
The time at which you will start tasks will depend on if you can generate a checkout URL to bypass the queue or not.
If no password page is enabled prior to drop, you can start tasks when queue starts to build to preload. Please pay attention to the live-drop information channel in AMNotify for when to start your tasks in this case. You will start tasks at a high delay such as 8000 at first and lower accordingly about 10-15 seconds before a drop.
If password page is enabled prior to drop, then there is no reason to start tasks earlier at high delay. You will not be able to generate a queue bypass link in this case and will have to sit through the queue first after carting before checkout.
Delays
When starting tasks early to preload a queue session, you can start at high delays from 8000-10000.
When lowering delays 10-15 seconds before, delays can be lowered to 2000-3500.
When running sites with a password page and you cannot preload queue bypass, you can also do 2000-3500.
Restocks
Most websites will use checkpoint before putting up restocks. However, sometimes they can restock without checkpoint.
For your best chances of hitting restocks, it is highly recommended to set up your automations. Quick tasking from monitors is no longer an effective way to hit restocks, especially for recent drops.
When running planned restocks, such as Kith's Thursday night restocks, you do not want to rely on automations for this. This is because you want your tasks to be able to pass queue on time, so you'll need to run tasks as you would normally for drops and mass link change before drop.
Last updated