Fake Shopify store suspension lure — "store suspended due to policy violation / payout hold / DMCA complaint, verify in 24 hours or store deactivated" targeting 2M+ Shopify merchants; admin credentials + 2FA harvest enables payout redirect, customer-PII + card exfil from admin, malicious-app install, mock-page product swap, Shopify-SMTP relay abuse for trusted-IP phish-blast

Fake "your Shopify store has been suspended due to policy violation / payout hold / DMCA complaint — verify within 24 hours or the store will be permanently deactivated" email targeting the 2M+ Shopify merchant base. Harvests Shopify admin credentials and 2FA codes. Post-compromise attackers: (1) redirect store payouts to attacker-controlled bank accounts; (2) extract customer PII and card data from the Shopify admin dashboard; (3) install a malicious Shopify app with broad permissions for persistence that survives password rotation; (4) replace product photos and checkout flows with mock pages that skim customers to scam sites; (5) abuse the Shopify SMTP relay to send phishing at scale from a high-reputation sender IP. The lure converts because Shopify genuinely DOES suspend stores for real reasons — high chargeback rates, DMCA complaints, prohibited-product listings, payment-risk flags. Merchants have a primed mental model. Sucuri and Shopify's own merchant-security advisory documented sustained 2024-2025 campaigns. Fires when body references Shopify / Shopify admin / Shopify store / myshopify domain / Shopify Payments / Shop Pay AND contains suspension / payout-hold / policy-violation / DMCA / deactivation / verify urgency. Excludes shopify.com, shopifymail.com, shopifymail.net, myshopify.com, shopify.app, shopifycdn.com, shopifysvc.com. Auto-classified as danger via the `-lure` suffix.