PSC
Principal Exchange-Traded Funds Principal U.S. Small-Cap ETF
stock NASDAQ ETF

Fair point! The effort required to feel "somewhat safe" in DeFi is the real tax, and it compounds every time you look at a new project. Your shift toward setups where the variable is just the outcome makes sense as a response to that.
To your question: I have seen teams pass both layers, but it's rare, and it tends to cluster. The projects that register a real entity, file PSC data, and keep their contact info and registry records in sync are usually also the ones with auditor-published reports, on-chain proof-of-reserves where relevant, and team members whose LinkedIn histories actually check out. It's the same operational discipline showing up everywhere. The projects that half-pass the registry check (entity exists but directors are nominees, or the address is a shell company service) almost always fail somewhere else too.
What I don't see much of yet is the reverse: projects that fail the surface checks but pass the entity layer. In theory that could exist (established operator launching a new protocol with a minimal landing page) but in practice, if the domain is three weeks old and the team page is stock photos, the legal registry usually tells the same story.
So the honest answer to "are there teams that pass both layers consistently" is yes, but you can roughly predict them from the surface signals already. Which I guess argues that the surface-to-depth investigation flow still works, just that people are stopping too early.

I run a data API that includes DNS lookups, email validation, and web scraping. Last week I looked at how people were actually using it, and one pattern stood out: DeFi project investigation.
A group of users (6+ IPs, 20+ calls within minutes of each other, probably a team or multi-agent workflow) ran a systematic check on several projects. OceanSwap, NoviFi, NexusChain, a few others. Their method was consistent:
1. Check if the project domain exists (DNS lookup)
2. Check domain variants: .com, .io, .finance, .xyz
3. Validate team email addresses — do the domains actually resolve?
4. Scrape the website content if it exists
OceanSwap: four domain variants checked, all non-existent. That's about as clear a rug-pull signal as you'll get before money is involved.
What I found interesting is what they didn't check. None of them ran sanctions screening, company registration lookups, or beneficial ownership checks. These are the signals that separate a sophisticated scam from an amateur one. A real project has a registered entity somewhere. It has directors whose names appear in a company registry. A fake project has a nice website and a Telegram group.
The pattern that's hardest to fake:
* **Registered entity**: Does a company actually exist behind this project? Check the relevant country's company registry (Companies House for UK, Brreg for Norway, etc.)
* **Beneficial ownership**: Who actually controls the entity? Not who's on the About page. Who has significant control according to the legal registry.
* **Sanctions**: Are any associated individuals or entities on OFAC, EU, or UN sanctions lists?
* **Domain age + registration**: A domain registered 3 weeks ago promoting a "established DeFi protocol" is a signal.
A website can be faked in an afternoon. A Companies House registration with directors, a registered address, and PSC filings takes actual identity exposure. Scammers avoid that.
The DNS + email + scrape approach works for catching the obvious fakes (non-existent domains, broken email addresses). But for projects that have a working website and a polished frontend, you need to go one layer deeper into corporate registries and sanctions data.
This is what I'm building tooling around if anyone's curious. An API that bundles these checks into single calls. But even without that, the registry data is publicly available. Companies House has a free API. OFAC publishes their sanctions list as a downloadable file. The hard part is stitching it together and keeping it current.
What does your due diligence process look like before you put money into a new project? Curious whether people are checking registries or mostly relying on community reputation and social signals.

Fair point! The effort required to feel "somewhat safe" in DeFi is the real tax, and it compounds every time you look at a new project. Your shift toward setups where the variable is just the outcome makes sense as a response to that.
To your question: I have seen teams pass both layers, but it's rare, and it tends to cluster. The projects that register a real entity, file PSC data, and keep their contact info and registry records in sync are usually also the ones with auditor-published reports, on-chain proof-of-reserves where relevant, and team members whose LinkedIn histories actually check out. It's the same operational discipline showing up everywhere. The projects that half-pass the registry check (entity exists but directors are nominees, or the address is a shell company service) almost always fail somewhere else too.
What I don't see much of yet is the reverse: projects that fail the surface checks but pass the entity layer. In theory that could exist (established operator launching a new protocol with a minimal landing page) but in practice, if the domain is three weeks old and the team page is stock photos, the legal registry usually tells the same story.
So the honest answer to "are there teams that pass both layers consistently" is yes, but you can roughly predict them from the surface signals already. Which I guess argues that the surface-to-depth investigation flow still works, just that people are stopping too early.

I run a data API that includes DNS lookups, email validation, and web scraping. Last week I looked at how people were actually using it, and one pattern stood out: DeFi project investigation.
A group of users (6+ IPs, 20+ calls within minutes of each other, probably a team or multi-agent workflow) ran a systematic check on several projects. OceanSwap, NoviFi, NexusChain, a few others. Their method was consistent:
1. Check if the project domain exists (DNS lookup)
2. Check domain variants: .com, .io, .finance, .xyz
3. Validate team email addresses — do the domains actually resolve?
4. Scrape the website content if it exists
OceanSwap: four domain variants checked, all non-existent. That's about as clear a rug-pull signal as you'll get before money is involved.
What I found interesting is what they didn't check. None of them ran sanctions screening, company registration lookups, or beneficial ownership checks. These are the signals that separate a sophisticated scam from an amateur one. A real project has a registered entity somewhere. It has directors whose names appear in a company registry. A fake project has a nice website and a Telegram group.
The pattern that's hardest to fake:
* **Registered entity**: Does a company actually exist behind this project? Check the relevant country's company registry (Companies House for UK, Brreg for Norway, etc.)
* **Beneficial ownership**: Who actually controls the entity? Not who's on the About page. Who has significant control according to the legal registry.
* **Sanctions**: Are any associated individuals or entities on OFAC, EU, or UN sanctions lists?
* **Domain age + registration**: A domain registered 3 weeks ago promoting a "established DeFi protocol" is a signal.
A website can be faked in an afternoon. A Companies House registration with directors, a registered address, and PSC filings takes actual identity exposure. Scammers avoid that.
The DNS + email + scrape approach works for catching the obvious fakes (non-existent domains, broken email addresses). But for projects that have a working website and a polished frontend, you need to go one layer deeper into corporate registries and sanctions data.
This is what I'm building tooling around if anyone's curious. An API that bundles these checks into single calls. But even without that, the registry data is publicly available. Companies House has a free API. OFAC publishes their sanctions list as a downloadable file. The hard part is stitching it together and keeping it current.
What does your due diligence process look like before you put money into a new project? Curious whether people are checking registries or mostly relying on community reputation and social signals.