These Cloudflare WAF rules (not my creation) should help mitigate some of the threat by blocking TOR traffic, blocking bots and blocking datacenter IPs (eg bots running on a VPS). The rules are granular so you can tweak them when you start to identify the traffic sources of the bad actors.

You'll probably need to block entire ASNs. I assume most of your legitimate customers aren't using VPNs or eg DigitalOcean droplets to access your site.

https://webagencyhero.com/cloudflare-waf-rules-v3/

In addition, you should start looking for alternatives to PayPal in case they decide to drop you.