You make a game publish it, you have in app items like lives and power ups, users have to create accounts, after a while you find several users have 999 lives or loads of purchased power ups in the db, but they havent actually purchased the items as you can check your console orders. So what can you do. It must be they have a cracked version of you game. the server records users ip when new user signs up but ips can be fake like with vpn you have their email but those can be created using fake details you have their username but those can be different for each account they have you is there really anything you can do apart from create checks in the app to like double check if they have actually purchased the item. In my game the after the user buys an iap the item count is increased and stored in their account, so it seems that they are somehow bypassing the actual IAP purchase and running the code that executes after user has made a purchase.