Security Red Flags in New Crypto Projects

The crypto space produces a continuous stream of new projects, tokens, protocols, and platforms. Some represent genuine innovation. Many are mediocre. A significant proportion are outright fraudulent. The challenge for investors is that in the early stages of a project’s life, the difference between these categories is not always obvious, and the marketing of a fraudulent project is often indistinguishable from the marketing of a legitimate one.

The red flags covered in this resource are the signals that separate projects worth serious consideration from those that warrant immediate scepticism. None is individually definitive. The more of these signals a project displays, the stronger the case for walking away before any capital is committed.

Why New Projects Carry Elevated Risk

The risk profile of a new crypto project is structurally different from an established one. An established project with years of operation, a proven team, a publicly audited codebase, and a track record of handling security incidents has demonstrated characteristics that a brand-new project cannot demonstrate by definition.

New projects ask investors to take on trust what established projects have demonstrated through action. That trust is frequently exploited. Rug pulls, fraudulent token launches, and exit scams are almost exclusively a new project phenomenon because the architecture of deception requires a window of time before the fraud becomes apparent.

Researching altcoins properly and applying DYOR (Do Your Own Research) as a genuine practice rather than a slogan is the foundation of evaluating new projects. What follows are the specific signals to look for in that research.

Red Flag 1: Anonymous Team With No Verifiable History

An anonymous or unverifiable team is the single most consistent characteristic of fraudulent new projects. When the people behind a project cannot be identified, they cannot be held accountable, and the barrier to executing an exit scam is essentially zero.

This doesn’t mean every anonymous team is fraudulent. Bitcoin’s creator Satoshi Nakamoto remains anonymous, and the project has obviously demonstrated its legitimacy through more than a decade of operation. But anonymity in a new project, particularly when combined with other red flags on this list, is a serious warning sign.

When evaluating a team, verify the following: can you find each team member’s professional identity independently outside the project’s own materials? Do their LinkedIn profiles, GitHub contributions, and other professional presences have histories consistent with their claimed backgrounds? Have they been involved in other projects, and what was the outcome? Are their credentials in the areas they claim relevant expertise in? A team that presents names, photos, and biographies that cannot be independently verified is a team presenting fabricated credentials, which is itself a red flag.

Advisors listed on a project’s website deserve the same scrutiny. Some fraudulent projects list prominent industry figures as advisors without those individuals’ knowledge or consent. When advisors are listed, verify the relationship through the advisor’s own communications, not through the project’s claims alone.

Red Flag 2: Whitepaper Absent, Vague, or Plagiarised

A crypto whitepaper is the foundational document through which a project communicates its technology, use case, economic model, and vision to the public. A legitimate project invests significant effort in producing a document that can withstand technical scrutiny.

Several whitepaper-related red flags are worth knowing.

No whitepaper at all. A project launching a token with no documentation of what the token does, why it exists, or how it creates value has no fundamental basis for its valuation. The absence of a whitepaper is a clear signal that the project’s value proposition is entirely speculative.

A vague or marketing-heavy whitepaper. Some projects produce documents that look like whitepapers but contain no technical substance, only aspirational language about disrupting industries, serving billions of users, and generating extraordinary returns. A whitepaper that cannot be meaningfully critiqued because it makes no specific technical claims is not a real whitepaper.

A plagiarised whitepaper. Fraudulent projects have copied whitepapers from legitimate projects, substituting token names and team details while leaving the core content unchanged. Searching for distinctive phrases from a new project’s whitepaper can reveal whether the content is original.

Promises of guaranteed returns. Any document that promises investors specific returns, guarantees of price appreciation, or fixed yields without clearly explaining the mechanism by which those returns are generated is either fraudulent or structurally unsound. Legitimate projects describe mechanisms and value propositions, not guaranteed outcomes.

Red Flag 3: No Credible Smart Contract Audit

For any project involving a smart contract, whether a token, a DeFi protocol, an NFT platform, or any other on-chain application, a credible independent security audit is a baseline expectation for legitimate projects.

A proper audit involves independent security researchers reviewing the smart contract code for vulnerabilities, backdoors, malicious functions, and logical errors. Reputable auditing firms publish their findings publicly, including identified issues and their resolution status. The audit report should be specific to the contract addresses actually deployed, not to a different version of the code.

Common red flags in the audit category include: no audit at all, an audit from a firm that doesn’t exist or has no credible track record, an audit that cannot be independently verified through the auditing firm’s own published records, an audit of a different contract version than what is deployed, and unresolved critical findings in an audit that the project has proceeded to launch despite.

Even a clean audit from a reputable firm is not a complete guarantee of safety. Audits are point-in-time reviews, and code deployed after an audit isn’t covered. But the absence of any credible audit in a project launching a smart contract is an unambiguous red flag.

Red Flag 4: Problematic Tokenomics

Tokenomics, the economic design of a token including its supply, distribution, and utility, is one of the most revealing indicators of a project’s intentions. Several tokenomics structures are consistent indicators of projects designed to extract value from investors rather than create it.

Excessive team allocation without lockup. A legitimate project typically allocates a portion of the token supply to the team, with that allocation subject to a vesting schedule, a lockup period before any tokens can be sold. When the team holds a large allocation with no lockup, or a very short lockup, they retain the ability to sell their entire allocation into buying pressure immediately. This is the structural precondition for a coordinated dump.

Highly concentrated supply in few wallets. Using a blockchain explorer to check the top token holders before investing is a basic due diligence step. When 20%, 30%, or more of the total supply is concentrated in a small number of wallets, the project has the structural conditions for severe price manipulation. Check whether those wallets are identified as team wallets, exchange wallets, or truly anonymous holders.

No clear utility for the token. A token that has no defined function within the project’s ecosystem, that isn’t required for any specific use case, and whose value is entirely dependent on speculative demand has no fundamental floor. This doesn’t mean the token can’t appreciate in value, but it does mean there is no mechanism by which the token’s price is anchored to anything other than market sentiment.

Inflationary mechanics without clear utility for new supply. Some projects generate token emissions through staking, yield farming, or other mechanisms at rates that significantly exceed demand. Sustained high inflation in a token’s supply depresses price unless demand is growing faster than supply, and many projects use inflationary mechanics to pay early investors yields that are ultimately funded by later investors, a structure that is economically indistinguishable from a Ponzi.

Red Flag 5: Unlocked or Minimal Liquidity

For tokens trading on decentralised exchanges, the liquidity pool that enables trading should be locked for a meaningful period by any project serious about its longevity. Liquidity locking prevents developers from draining the pool, which is the core mechanism of a hard rug pull.

When evaluating a new project’s liquidity, check: is the liquidity locked, and can that lock be independently verified on a locking platform? How long is the lock period? A lock of a few weeks provides minimal protection. A multi-year lock or permanent liquidity burn provides meaningfully stronger assurance. What proportion of the total liquidity is locked? A small locked proportion with a large unlocked portion provides limited protection even if the locked portion is touted prominently.

The total value locked in a project’s liquidity pools relative to its market capitalisation is also a useful metric. A very low TVL relative to market cap suggests thin liquidity that makes large exits highly destructive to the price and creates significant slippage for any investor attempting to exit a meaningful position.

Red Flag 6: Suspicious Smart Contract Functions

For technically oriented investors, reviewing a project’s smart contract code for suspicious functions is one of the most direct forms of due diligence available. For investors without technical knowledge, automated tools provide partial coverage.

Common malicious smart contract functions include: mint functions that allow unlimited post-launch token creation, blacklist or whitelist functions that allow the developer to prevent specific addresses from selling, fee modification functions that can be used to set trading fees to 100% and prevent all selling, hidden ownership transfer functions, and pause functions that can freeze all trading.

Tools like Token Sniffer, Rugcheck.xyz for Solana tokens, and Honeypot.is automate some of this analysis and identify common malicious patterns. These tools are not comprehensive replacements for a proper audit, but they can identify obvious red flags quickly and without technical knowledge.

A contract whose source code is not verified on a blockchain explorer is itself a red flag. Legitimate projects verify their contract code publicly, allowing anyone to read it. An unverified contract makes independent review impossible and suggests the developers have something to hide.

Red Flag 7: Aggressive and Unrealistic Marketing

The marketing of a new crypto project tells you a great deal about its intentions. Legitimate projects communicate honestly about their technology, their progress, and the genuine risks involved. Projects designed to extract money from investors use marketing to manufacture emotional responses that override analytical thinking.

Specific marketing red flags to watch for: guaranteed return promises of any kind, celebrity endorsements that cannot be independently verified through the celebrity’s own channels, countdown timers and limited availability claims creating artificial urgency, price prediction language framed as fact rather than possibility, testimonials from investors claiming extraordinary returns, and comparisons to Bitcoin or Ethereum in terms of investment returns rather than technological approach.

The psychology of trading resource covers how FOMO is deliberately triggered by scam marketing operations. The intensity of a project’s marketing is an inverse signal of its likely credibility. Legitimate projects build value through technology and utility. Fraudulent projects build momentum through manufactured excitement.

Red Flag 8: Community That Suppresses Questions

The behaviour of a project’s community, across Discord, Telegram, Twitter, and Reddit, is a revealing indicator of the project’s actual confidence in its own fundamentals.

Legitimate projects with genuine technology and honest teams welcome hard questions. Technical scrutiny is not a threat to a project that has nothing to hide. Critical community members are engaged with, not silenced.

Fraudulent projects actively manage their information environment to suppress due diligence. Members who ask hard questions about the team’s identity, the smart contract code, the tokenomics, or the use of investor funds are mocked, dismissed, or removed. Moderators redirect critical threads. The dominant community narrative is promotional rather than analytical.

As covered in our how to spot a rug pull resource, manufactured community momentum is a deliberate tactic used to suppress the analytical behaviour that would identify a scam before it completes. A community that cannot tolerate questions is a community protecting a fraud.

Red Flag 9: Unrealistic Roadmap or No Roadmap

A project’s roadmap communicates what it intends to build, by when, and with what resources. It is a commitment that can be evaluated against subsequent reality.

Red flags in the roadmap category include: no roadmap at all, a roadmap with vague milestones that cannot be objectively evaluated, timelines that are unrealistically aggressive relative to the complexity of the claimed development, milestones that have been missed without explanation or acknowledgement, and roadmaps that are heavy on marketing and business development milestones while light on technical development.

Cross-referencing a project’s GitHub activity, where available, against its claimed development progress provides an objective signal. Active, meaningful code commits from multiple contributors over time indicate genuine development activity. A GitHub repository with minimal activity, sparse commits, or code that appears copied from other projects tells a different story.

Red Flag 10: Pressure to Act Before Research Is Complete

This is the behavioural red flag that wraps all the others. Any pressure, from a project’s marketing, its community, or any individual associated with it, to invest before you have completed your due diligence is itself a red flag.

Legitimate projects are confident enough in their fundamentals to allow investors the time needed to research properly. Fraudulent projects create urgency because the fraud cannot withstand scrutiny. The “presale ends in 24 hours,” “whitelist spots almost full,” and “early investors getting in now” language is designed to make you act before you’ve had time to find the problems.

If any project is making you feel that you don’t have time to research properly, that is the single most important signal to do more research, not less.

The combination of DYOR, understanding how to avoid crypto scams, and applying the rug pull identification checklist to every new project creates a research framework that catches most fraudulent projects before any capital is at risk. The dangers of fake airdrops and phishing scams resources round out the full picture of how new projects are used as vehicles for investor harm.

Key Takeaways

Security red flags in new crypto projects span every dimension of the project: anonymous and unverifiable teams, absent or plagiarised whitepapers, no credible smart contract audit, problematic tokenomics with concentrated supply and no lockups, unlocked liquidity, suspicious contract functions, aggressive marketing with unrealistic promises, communities that suppress due diligence, unrealistic or absent roadmaps, and artificial pressure to invest before research is complete.

No single red flag is automatically disqualifying in isolation. Multiple red flags together build a picture that serious investors should walk away from without hesitation. The projects worth investing in can withstand scrutiny. The ones that can’t are telling you something important.

For everyday investors building the research and risk assessment skills to navigate new projects safely, our Runite Tier Membership provides the education, frameworks, and community to do it properly. For serious investors who want personalised due diligence support and direct specialist access to evaluate specific projects and opportunities, our Black Emerald and Obsidian Tier Members receive exactly that. 

Find out more at shepleycapital.com/membership.