[eluser]Michael Wales[/eluser]
Are you recording IP addresses? You could always notify the ISP of fraudulent activity, file a police report in your city as well as in the perpetrators if you can trace it that far (if not, in the county of the ISPs main office). These are the first steps in getting the money you deserve for your work.
As for not giving your product to people after a certain amount of time - you could implement a phone call system. This could either be manual, or an Asterisk server with a pre-recorded message (which is how I would do it).
User gets emailed a unique X-digit code and is either A) told to call the 1-800 # or receives a call from the 1-800 #. This would be the phone number on file with the credit card company - don't let the user enter their own, that defeats the purpose.
Once they enter their code, the Asterisk database is updated, and a cron script you run on your normal site will check for that change every X minutes and send emails to those that have verified they are who they say they are.