Fraud Orders from the Store-API

I have a store that over the past several months has seen a significant influx of fraudulent orders. I use paypal for all of my payment services and paypal is catching most of the fraudulent orders but I am getting something like 100 a day. When I dig into the orders, I see that the order was `_created_via` the store-api and it is the same for all of the other orders. Has anybody else had this issue? How do I disable the store-api entirely?

I have a separate web app integration that uses the REST api but I don't think my keys have been exposed and this shouldn't have any impact on the store-api anyway right? I dont have wordfence or any other serious security plugins installed and i'd rather not have to, but if it prevents this, I guess I will install them.