You might not believe this (I know I didn’t), but according to Radware's 2025 Report, 57% of all e-commerce traffic during the 2024 holiday season wasn't human.

Let that land for a second. Over half.

And while most people picture bots crashing the huge sneaker drop, the version hitting mid-market Shopify brands is something a lot of people aren’t talking about.

They're getting into your checkout, syncing to Klaviyo, and triggering your welcome flow before you even know they exist.

Here's what it's costing you and the fix we built to stop it ⤵️

StrangeLove Skateboards partnered with Nike SB on a Valentine's Day sneaker drop. 200 pairs. Years of work. The launch was live for two minutes before bots tore through the site and the whole thing had to be cancelled. They called it "botbarians at the gate." The shoes never sold online. Everyone had to go to a physical store.

That's the version you hear about because it was visible. The site crashed. The launch died in public. You could point to the damage.

What's hitting Shopify brands right now is quieter and, in some ways, worse. Because you can't see it happening. Your site stays up. Your signup numbers look great. Your list is growing. And underneath all of it, your welcome flow is firing into a graveyard.

Here's the part that catches most people off guard: every time a checkout-started event fires on your Shopify store, that profile syncs to Klaviyo whether or not a real person signed up. Double opt-in doesn't stop it at the checkout entry point. The profile lands in your account either way.

We caught this on a client account a few months back. List growth was up. Revenue from the welcome flow wasn't moving with it. Bounce rate was ticking. Google Postmaster showed domain reputation starting to slide. We pulled the subscriber source data and found hundreds of profiles that had entered through checkout-started events with email addresses from domains like rtremail.com and joonix.net. Real addresses. Fake people.

Your welcome flow doesn't know the difference. It fires anyway. And every time it does, you're burning a little more of your sender reputation with Gmail and Yahoo.

When bots inflate your Klaviyo list, the damage isn't one thing. It's three things breaking in parallel, and all of them are invisible until they're not.

1️⃣ Deliverability. Fake addresses generate hard bounces. Real addresses that bots submitted without the person's knowledge generate spam complaints when your welcome flow fires. Both tank your sender reputation. Gmail's spam complaint threshold is 0.3%. You can hit it fast if you're sending at volume into a bot-inflated list.

2️⃣ Your Klaviyo bill. Klaviyo charges by active profiles. Bots are adding profiles to your account whether or not they confirm. Some bots target checkout specifically because the Shopify-Klaviyo sync happens regardless of opt-in status. You're paying for contacts that will never buy anything.

3️⃣ Your data. Conversion rate on your welcome flow, signup-to-purchase rate, new subscriber revenue. All of it gets diluted when fake profiles are mixed in. You can't make good decisions with dirty numbers. And you won't know the numbers are dirty until you go looking.

When this hit one of our accounts we needed a solution that protected deliverability immediately, without killing the welcome flow for real subscribers. Turning off the welcome flow wasn't a solution, it was a crutch.

Here's the two-step structure we put in place.

Step 1: Create a separate signup list with double opt-in turned on.

This list becomes the only entry point for any signups coming from Shopify. Double opt-in is enabled specifically for this list and anyone who can't confirm their email never becomes an active subscriber. Bots can't confirm. Real people can.

Step 2: Duplicate your welcome flow and attach it to the new list.

The duplicated flow is triggered only by the new Shopify signup list. This separates confirmed subscribers from unverified ones at the flow level, not just the list level. Two flows for clean separation.

By routing opt-ins through a separate list with its own dedicated flow and double-opt-in turned ON, you guarantee that your highest-stakes automated sequence, the one that fires first and sets the tone for the entire customer relationship, is only going to real people.

This is a triage fix, not a permanent wall. You still want to address the source.

On the Shopify side, hCaptcha helps against basic bots but sophisticated attacks route around it.

Start inside Klaviyo. You can have the duplicate flow structure live in an afternoon.

The Shopify-side hardening takes longer. Don't wait on the long fix when the short-term fix is so simple.

June 18, 2026 · 10 AM PT / 1 PM ET

I'm joining Brian Minick (COO, ZeroBounce) and Nicole Daly (Product Partnerships, Klaviyo) for a free one-hour webinar going deeper on exactly this.

List bombing, deliverability damage, how to validate and clean a list that's already been hit, and what Klaviyo is seeing across accounts right now.

Want us to cover a specific topic? Click the button below to send us a topic you’d like to see covered in The Retention Report.