Your reasoning flaw is here, the site can not, and should not have to guess whether the request is legitimate or if a scammer is trying to get a refund on an attempted cheat.
It makes perfect sense from a business perspective to take a very clear position should this kind of stuff arise.