Having worked with payments on a number of products it's really not a tall claim at all. On a small product that's an offshoot of a large media company we had the luxury of firewalling off a lot of countries, prior to that we'd see thousands of fraudulent attempts / payments a week. A lot of them are people iterating through lists of stolen card numbers looking for ones that are still working, so while the actual number of people / bots doing it might be lowish the volume of attempted charges can be huge.
I used to work on fraud detection on a product with transactions totaling billions of dollars a year, and for a period of time we could have stopped something like 90% of our fraud attempts (with like a 99% accuracy rate) by simply blacklisting IPs from Turkey, Vietnam, Ghana, and Nigeria.
