I watched people investigate DeFi projects using my API. Here's the pattern scammers can't fake.
I run a data API that includes DNS lookups, email validation, and web scraping. Last week I looked at how people were actually using it, and one pattern stood out: DeFi project investigation.
A group of users (6+ IPs, 20+ calls within minutes of each other, probably a team or multi-agent workflow) ran a systematic check on several projects. OceanSwap, NoviFi, NexusChain, a few others. Their method was consistent:
- Check if the project domain exists (DNS lookup)
- Check domain variants: .com, .io, .finance, .xyz
- Validate team email addresses — do the domains actually resolve?
- Scrape the website content if it exists
OceanSwap: four domain variants checked, all non-existent. That's about as clear a rug-pull signal as you'll get before money is involved.
What I found interesting is what they didn't check. None of them ran sanctions screening, company registration lookups, or beneficial ownership checks. These are the signals that separate a sophisticated scam from an amateur one. A real project has a registered entity somewhere. It has directors whose names appear in a company registry. A fake project has a nice website and a Telegram group.
The pattern that's hardest to fake:
- Registered entity: Does a company actually exist behind this project? Check the relevant country's company registry (Companies House for UK, Brreg for Norway, etc.)
- Beneficial ownership: Who actually controls the entity? Not who's on the About page. Who has significant control according to the legal registry.
- Sanctions: Are any associated individuals or entities on OFAC, EU, or UN sanctions lists?
- Domain age + registration: A domain registered 3 weeks ago promoting a "established DeFi protocol" is a signal.
A website can be faked in an afternoon. A Companies House registration with directors, a registered address, and PSC filings takes actual identity exposure. Scammers avoid that.
The DNS + email + scrape approach works for catching the obvious fakes (non-existent domains, broken email addresses). But for projects that have a working website and a polished frontend, you need to go one layer deeper into corporate registries and sanctions data.
This is what I'm building tooling around if anyone's curious. An API that bundles these checks into single calls. But even without that, the registry data is publicly available. Companies House has a free API. OFAC publishes their sanctions list as a downloadable file. The hard part is stitching it together and keeping it current.
What does your due diligence process look like before you put money into a new project? Curious whether people are checking registries or mostly relying on community reputation and social signals.