Sandbox accounts in production being used for Fraud

After reviewing our data more, it's been a rash of sandbox signups over the past week (approximately 40). When we have not been actively testing, we see anywhere from 0-2 a month and there are far more months were we see 0. Always assumed these were Apple reviewers using throw away e-mail addresses.

our server side validation followed the guidance to always allow sandbox receipts

What do you mean by "always allow sandbox receipts"? I hope you don't mean that when you receipt a sandbox receipt, you always just accept the request? The page you linked to says:

"call the production URL https://buy.itunes.apple.com/verifyReceipt first and proceed to verify with the sandbox URL if you receive a 21007 status code."

What exactly are you doing?

First we try to validate the receipt against the apple production environment. If it returns a 21007, then we try to validate it against the sandbox environment. If that second verification succeeds, we continue with our processing (check for a valid subscription, etc).

OK. I read "always allow" as perhaps meaning that you were not actually validating sandbox receipts. It looks like you're doing it right.

Sorry, I don't have any particular insight into your problem.