Script kiddies are submitting hundreds of false orders - I can't seem to be able to stop them unless I disable PayPal?

[Tesla]

I have a WHMCS owned license for a very small company with less than 10 active clients. In the past 2 weeks I have received hundreds of fake new orders + new customer signups from multiple VPN Ip addresses + emails etc.

What is common?
- All orders are via "PayPal" module. My other payment gateway is stripe, this one obviously will validate and attempt capture, but PayPal doesn't do any of these preflight checks, it creates an invoice straight away which I want to avoid unless a payment is received first. Can this be fixed in any way?

My WHMCS version is 8.0.5 (I have no plans to upgrade my fully owned license, the help and fix I am looking to implement should work on this version)
- I have added a hook to stop these hackers from using "+" email addresses (e.g: wahoo+2838@gmail.com) are now blocked. 
- I have added a hook to "force" users to validate their e-mails that I found on https://github.com/Infinitz-1973/Whmcs-Force-Email-Verify/blob/main/Verify.php = I had high hopes this would stop them, but they found a way to circumvent the hook code? Any help?
- I have enabled the "free" FraudLabs Pro plugin - this fails to stop them from creating invoices and fake customer accounts still.

The hook that's supposed to ensure clients must be fully e-mail verified... but isnt working is below:

<?php
if (!defined("WHMCS"))
die("Can't access the file directly!");

use WHMCS\View\Menu\Item as MenuItem;
use Illuminate\Database\Capsule\Manager as Capsule;

# Would you like to prevent unverified accounts from placing orders ?, set it to false to accept orders
define("PREVENTUNVERIFIEDORDERS", true);
# How many days to wait before deactivating the unverified account, set 0 to deactivate this feature
define("DEACTIVATEACCOUNTAFTERXDAYS", 5);
# How many days to wait before setting the unverified account as closed, set 0 to disable this feature
define("CLOSEACCOUNTAFTERXDAYS", 7);

# Orders will not be completed if the email is not verified.
add_hook("ShoppingCartValidateCheckout", 1, function($vars){
    if (PREVENTUNVERIFIEDORDERS===true){
        // get the client data
        $client = Menu::context("client");
        // verifies if the client is logged in and if it is found
         if (!is_null($client) && $client) {
             // check if the email is not verified
            if ($client->isEmailAddressVerified()==false)
            {
                // message
                return array("<b>You must first verify your email address before completing any order</b>");
            }
         }
    }
});

# Deactivate unverified account after x days
add_hook("DailyCronJob", 1, function($vars){
    if (intval(DEACTIVATEACCOUNTAFTERXDAYS)!==0){
        $dateCreated = date("Y-m-d", strtotime("now - ".intval(DEACTIVATEACCOUNTAFTERXDAYS)." days"));
        $getAccounts = Capsule::table("tblclients")->where("datecreated", "=", $dateCreated)->where("email_verified", "=", 0);
        foreach ($getAccounts->get() as $account){
            Capsule::table("tblclients")->where("id", $account->id)->update(array("status" => "Inactive"));
        }
    }
});

# Close unverified accounts after X days
add_hook("DailyCronJob", 1, function($vars){
    if (intval(CLOSEACCOUNTAFTERXDAYS)!==0){
        $dateCreated = date("Y-m-d", strtotime("now - ".intval(CLOSEACCOUNTAFTERXDAYS)." days"));
        $getAccounts = Capsule::table("tblclients")->where("datecreated", "=", $dateCreated)->where("email_verified", "=", 0);
        foreach ($getAccounts->get() as $account){
            Capsule::table("tblclients")->where("id", $account->id)->update(array("status" => "Closed"));
        }
    }
});

 

[WHMCS John]

Hi @Tesla,

In 8.11 we added new captcha options which will stop more automated bots than the older Invisible reCaptchaV2 technology: https://docs.whmcs.com/releases/8-11/8-11-release-highlights/#new-captcha-options

You could also restrict ordering to users with verified email addresses, which might slow them down: