For work, I run a cloud service like this, and we do indeed have this kind of fraud. Every stolen credit card number under the sun has signed up for an account. People create thousands of emails (and brand new domains) to get free trials. And, when our systems identify them and we shut them down, they whine in all possible support forums. I don't think we've ever made a mistake, but that is likely due to the small scale of our operation.
The only thing that keeps me sane is the extremely poor opsec of the fraudsters. They have pools of thousands of compromised IPs they're using for the command-and-control infrastructure that they install, but they often mistakenly use the same destination crypto wallet (they have a little LD_PRELOAD script they install to try to prevent us from seeing this, but it doesn't work if you don't load dynamic libraries to read the process table), or use a predictable naming scheme, or taint accounts by accessing a few of them from the same IP. (I have a graph that connects the accounts through things like IP address, so this is often the fatal screwup for thousands of accounts all at once.)
I imagine that Digital Ocean has this same problem, but at a million times the volume. So, there are going to be mistakes. It's intrinsically difficult to establish trust at these small scales. DO probably feels pretty uncomfortable giving someone a bunch of compute resources when they haven't even tried billing the credit card. You would feel pretty uncomfortable paying up front. So this is where we land, sometimes you look like fraud and get killed with fire. (As you get bigger, you'll have weekly meetings with your cloud provider, and they probably won't shut you down automatically. But at that small scale, it's tough for everyone!)
