PRACTICAL · Last updated: · 8 min read · by Jordan, PassivePin Editorial
Seven signs a DePIN project is a scam
The red flags we have learned to spot: hidden emissions, fake dashboards, copy-pasted whitepapers, and the four-letter acronym every project should have before you plug in.
DePIN has a fraud problem. The category's accessibility (anyone can launch a token, a dashboard, and a Discord in a weekend) is also its vulnerability. Of the ~120 DePIN projects we have evaluated for the PassivePin directory, about 40% have been removed for reasons ranging from outright fraud to negligence. This guide is a checklist of the seven red flags we use internally to decide whether a project is worth listing.
1. No on-chain proof of customers
Every real DePIN project has customers, and those customers are visible on-chain. A bandwidth network's customers are the addresses that pay for bandwidth. A storage network's customers are the addresses that upload data. A compute network's customers are the addresses that pay for jobs. If the project does not publish its customer addresses (or the addresses are clearly internal / sybil-controlled), there are no real customers.
How to check: ask the team for the dashboard URL. A real project will have a Dune dashboard or a Token Terminal page that shows non-team addresses paying for the service. If the only "revenue" is from the team's own multisig paying itself, the project is funded by emissions and the token will eventually zero out.
2. Anonymous team with no shipping history
An anonymous team is not automatically a red flag (Satoshi was anonymous, and so is the team behind some legitimate DePIN projects), but it is a yellow flag that compounds with other concerns. A team with a real shipping history — even if pseudonymous — has reputational skin in the game. A team with no verifiable history of building anything is a much bigger risk.
How to check: look for the team's previous projects on GitHub, on-chain activity, and Twitter/X. A real team has commits, deployments, and a track record you can verify. A fake team has a glossy website and a Discord where the mods dodge questions about their background.
3. Token unlock schedule that dumps on operators
Every DePIN project has insiders (team, investors, advisors) who got tokens at a discount before the public. The question is when those tokens unlock. A project that locks insider tokens for 4+ years is aligning the team with operators. A project that unlocks 30%+ of the supply to insiders in the first 6 months is going to dump on operators as soon as the token lists on a CEX.
How to check: read the tokenomics section of the docs, and verify the unlock schedule on-chain (most projects publish the vesting contract on Etherscan or the equivalent block explorer for their chain). Token Unlocks, a third-party dashboard, also tracks upcoming unlocks for most major projects.
4. "Audit" by an unknown firm
Most DePIN projects claim to be audited. The audit firm is often a small, unknown company that the team paid to write a positive report. Real audits come from reputable firms (Trail of Bits, OpenZeppelin, Spearbit, Code4rena, Cantina). If the audit was done by a firm that only has 1-2 audits on its portfolio, treat the audit claim as marketing, not verification.
How to check: search the audit firm on GitHub or LinkedIn. A real firm has a public team, a public portfolio, and a reputation to protect. A fake or bought-out firm has none of those. Also look for the actual report; if the report is a single PDF with no detailed findings, the "audit" was a checkbox exercise.
5. Customer revenue that "is coming next quarter"
The most common refrain in a failing DePIN project is "real customers are coming next quarter." The team has a pilot with a Fortune 500, a letter of intent from a regional telco, a partnership with a web3 protocol. The pilots never close, the LOIs never convert, the partnerships never ship. The project runs on emissions, the token bleeds, and the team blames market conditions.
How to check: ask the team for a customer reference. A real project will happily connect you with a paying customer. A project that cannot produce a single paying customer reference is not a real business yet, regardless of how impressive the dashboard looks.
6. Marketing that is mostly KOLs and airdrop hunters
A real DePIN project grows because it has a working product that real operators recommend to other operators. An unhealthy project grows because it pays KOLs to tweet about it and pays airdrop farmers to spin up nodes. The two are easy to tell apart: a real project has organic engagement in its Discord, organic Reddit posts, and operators who have been around for more than one airdrop season.
How to check: read the project's Discord. If 80% of the channels are "airdrop," "quests," and "how to multi-account," you are looking at a farming economy, not a real one. Look for technical discussion, customer use cases, and operators talking about their actual earnings.
7. The team disappears for 30+ days
A team that goes silent for a month is either dealing with a major issue (exploit, legal, key compromise) or has lost interest. Neither is good for operators. The PassivePin directory removes any project that goes silent for 30+ days; a project that comes back after a 60-day silence is usually a project that has lost 90% of its operator base during the absence.
How to check: look at the project's blog, X account, and GitHub commits over the last 60 days. A healthy project has visible activity every week. A project with two commits in 60 days is in trouble, even if the team says "we are heads-down shipping."
The 30-minute check
If a project fails any two of the seven checks above, do not deploy. If a project fails four or more, do not even click the referral link. We have removed 14 projects from the directory for failing multiple checks; six of them have since hard-rugged, and the rest have effectively zeroed their token.
The good news: the category as a whole is healthier than it has ever been, and the share of fraudulent projects is dropping as the legitimate projects accumulate reputation. The directory is biased toward projects that have passed these checks, but if you want to do your own evaluation, the framework above is what we use.
What to do if you have been scammed
If you have already deployed capital or hardware to a project that turns out to be fraudulent, the recovery options are limited. Here is what to do in order.
- Stop deploying further capital. Do not chase losses with new deposits to "recover."
- Document everything: contract addresses, transaction hashes, screenshots of the dashboard, Discord messages, KOL promotions. Save the data locally; do not rely on the project's website remaining online.
- Report the project to the relevant authorities. In the US, the FTC and SEC both have online complaint forms. In Australia, Scamwatch. In the EU, your national consumer protection agency. The report will not get your money back, but it builds the case for enforcement.
- Reach out to other operators in the project's Discord. The team will try to control the narrative; the operators in the same position as you are the most useful source of accurate information about what is happening.
- Do not trust anyone who DM's you offering to "recover" your funds for a fee. The recovery scam is the most common follow-on to a DePIN rug.
Continue learning: Side-by-side project comparisons →
© 2026 PassivePin. See also: about · methodology · FAQ · editorial policy.