Thanks for that info. I will test it shortly.
For those with this issue, I have gone through my access logs and identified 35 IP addresses coming from Amazon Web Services that seem to be behind this exploit. These IPs had roughly 60-70 user sessions open at all times and were entering directly into a cart checkout page. I have blocked these IPs at server level and the user hasn't popped back up in the last couple hours. (correction, I just checked and the hacker is back on new IPs)
34.226.217.189
52.90.105.63
3.86.194.220
54.162.199.5
34.203.31.73
54.242.248.51
3.91.22.229
3.83.122.116
3.86.17.235
3.87.125.27
3.84.1.204
3.86.195.29
18.207.168.178
3.91.105.65
107.22.64.199
54.167.218.195
34.203.189.201
34.235.160.85
18.206.243.7
54.92.169.31
3.81.72.223
54.162.221.69
54.146.245.126
54.158.13.28
54.81.159.253
54.91.208.246
3.80.245.34
3.87.158.162
54.208.28.191
34.228.218.112
54.196.24.167
54.175.76.197
54.204.151.47
54.197.78.24
54.221.70.114
