It definitely is malicious if he actually places orders. Jail seems like a possibility if every restaurant actually is affected.

If he's just triggering "Add to Cart" and the system responds with "Ice Cream Machine Broken" then it's relatively less harmful. As he says, it probably messes with their data. Unlikely that he's spending $18000 per minute.

Wouldn't he need to pay to actually place the order though?

Yes, another case of a little whitd lie to grab eyeballs. Drafting an order and placing an order are 2 distinct states of an order

Not on an internal API I wouldn't think - he's just spoofing that volume of orders from registers, as if customers had walked into all stores and all ordered the same ice cream simultaneously.

It's more like they ordered from mobile, but didn't checkin/pickup so they're not wasting food or $$.

> to clarify how this works: mcdonald's keeps track which locations have a broken machine, I'm merely querying for those - no order gets executed, no ice cream is actually wasted

> I'm currently placing an order worth $18,752 every minute

Agree with you that this seems actively malicious, and because of the dollar amounts involved, is liable to get him in big trouble.

The McDonalds app lets you place an order, but you have to check-in (via the app) when you arrive to pick it up. They don't start preparing anything until you do that; you can cancel, change stores, adjust order, etc. up until the "I'm here" button is hit.

In this case this seems perfectly valid and nobody is being hurt.