Blog
Due Diligence Checklist for Acquiring Web3 Projects

Due Diligence Checklist for Acquiring Web3 Projects

jan strandberg
Jan Strandberg
February 17, 2026
5 min read

A crypto due diligence checklist reviews all aspects of a target company or project before acquisition. In Web3, this includes traditional business factors plus crypto-specific elements like token economics, smart contracts, code audits, and blockchain analytics. Due diligence verifies project claims and uncovers hidden issues; skipping it risks overpayment, debt, or acquiring misrepresented assets.

Why due diligence matters

The Web3 space operates in a regulatory environment that shifts constantly, with billion-dollar projects collapsing overnight when compliance frameworks fail. Smart contract vulnerabilities, token distribution flaws, and inadequate anti-money laundering controls create risks that don't exist in traditional businesses. Crypto due diligence helps you identify whether a project has solid foundations or merely appears successful on the surface.

Beyond protecting your capital, a thorough investigation reveals hidden liabilities that sellers may not disclose willingly. Past enforcement actions, questionable wallet transactions, or gaps in intellectual property protection can all emerge during proper investigation. The process also gives you leverage during price negotiations, as documented weaknesses provide concrete reasons to adjust the valuation or walk away entirely.

Web3 introduces a paradigm where code governs operations, tokens represent value, and decentralized communities hold influence. Traditional due diligence misses these nuances. A project may show strong financials yet have smart contract bugs that could drain funds overnight or maintain high trading volumes while facing regulatory risks.

When to start the crypto due diligence process

Start due diligence before signing binding agreements, ideally once a serious acquisition target is identified. Buyers often include a 5 to 10 business-day due diligence period in the purchase contract, allowing termination if major issues arise.

During this phase, the buyer signs Non-Disclosure Agreements (NDAs) and requests access to a data room. The buyer can then file formal requests for information (RFIs) or due diligence letters to the seller for specific documents. There’s a lot to take in, so it’s advisable to hire a team of accountants and lawyers to review all materials. The process can last days to months, as it involves analyzing records, contracts, financials, and technical data, often via digital deal rooms.

Requests for information template

Create a formal document request that outlines every category of information you need to evaluate the business properly. Include traditional items like financial statements and legal contracts, plus blockchain-specific elements such as smart contract audit reports, tokenomics documentation, and wallet transaction histories.

Also, request access to a secure data room for sensitive materials and ensure all parties sign NDAs before sharing proprietary information. Include questions about the seller’s exit reasons, other buyers who withdrew, and the expected purchase price range.

Here’s an example of an RFI request:

Dear [Seller],

Due diligence checklist for Web3 projects

While the fundamentals of due diligence remain rooted in financial analysis and legal review, blockchain technology introduces unique considerations that can make or break your investment. These are the areas you should examine before signing the purchase agreement.

Legal structure and compliance status

  • First, verify how the target entity is legally organized and where it operates. Web3 projects often use complex structures involving offshore foundations, decentralized autonomous organizations, and multiple subsidiary entities across different jurisdictions. Understanding this architecture helps you identify potential regulatory conflicts and determine which laws apply.
  • Review all incorporation documents, shareholder agreements, and constitutional documents for DAOs if applicable.
  • Pay special attention to decision-making procedures, investor veto rights, andgovernance token distribution.
  • Projects using legal wrappers for decentralized organizations need careful examination of how control flows between the traditional entity and on-chain governance.

Regulatory licenses and registrations

  • Check whether the project holds the necessary licenses in every jurisdiction where it serves customers. Many crypto businesses operate without proper registration, creating immediate liability for new owners.
  • Confirm that the entity can legally transfer licenses and permits to you, as some regulatory frameworks prohibit license sales or require new applications.
  • Jurisdictions classify crypto businesses differently, using terms like Virtual Asset Service Providers, Money Services Businesses, or Crypto-Asset Service Providers. Verify the target holds required registrations in all operating locations. In the U.S., this usually includes FinCEN registration as a money transmitter and relevant state licenses.
  • Review correspondence with regulators, including audit reports, examination findings, and enforcement actions. Check for fines, penalties, or operational restrictions. Confirm all licenses are current and renewal dates are documented.
  • For projects operating globally, understand how different regulatory regimes interact. A business licensed in one jurisdiction may face restrictions when serving customers in another. Some countries have implemented comprehensive frameworks like the European Union's Markets in Crypto-Assets regulation, while others maintain ambiguous or hostile positions toward digital assets.

AML and KYC standards

  • Assess if the target has strong Know Your Customer procedures, transaction monitoring, and suspicious activity reporting. The Financial Action Task Force's Travel Rulemandates VASPs to collect and share customer data for transactions above approximately $1,000 or €1,000.
  • Request AML program documentation, including policies, transaction monitoring systems, and staff training records.
  • Verify customer screening against sanctions lists and politically exposed persons databases.
  • Confirm screening frequency and coverage of all supported blockchains and tokens.
  • Review Suspicious Activity Reports filed with authorities to identify potential compliance issues.
  • Assess the compliance team’s size and qualifications. Many crypto firms initially hired developers lacking AML expertise, creating regulatory gaps.

Intellectual property rights

  • In blockchain projects, separating IP ownership becomes particularly challenging. Code repositories, protocol designs, token standards, and even community-created content may have unclear ownership. Determine what IP the target entity actually controls versus what belongs to token holders, open-source contributors, or affiliated DAOs.
  • Check all patent applications, trademark registrations, and copyright filings. Many Web3 projects use open-source licenses, so verify which components can be used commercially and whether any code dependencies create licensing conflicts.
  • Review developer contracts to ensure all work-for-hire agreements properly assign IP rights to the company.
  • Search for any ongoing patent litigation or infringement claims. The blockchain space has seen increasing patent assertions, and inheriting these battles can prove costly.

Sanctions and risk exposure

  • The Office of Foreign Assets Control and other authorities enforce sanctions on crypto transactions. Verify the business screens wallet addresses and transactions against sanctions lists.
  • Check for exposure to high-risk jurisdictions or dealings with sanctioned entities.
  • Review blockchain analytics showing the share of funds linked to illicit categories. Even small sanctioned fund flows can trigger enforcement.
  • Confirm procedures exist to freeze and report sanctioned transactions.

Legal disputes and litigation

  • Request disclosure of all pending lawsuits, regulatory investigations, and arbitration proceedings.
  • Review settled cases from recent years for dispute patterns indicating underlying issues.
  • For blockchain projects, check challenges to token classification, securities compliance, or marketing claims.
  • Review class action allegations, especially claims that token sales violated securities laws. Such cases may take years and pose significant liability.
  • Confirm the business has adequate insurance and legal reserves.

Financial performance

  • Request at least three years of audited financial statements, including income statements, balance sheets, and cash flow reports. Compare these against industry benchmarks to identify anomalies.
  • Web3 businesses often show volatile revenue patterns tied to crypto market cycles, so analyze whether income remains stable during downturns or evaporates when token prices drop.
  • Examine accounts receivable and payable to understand cash flow timing. Many crypto businesses deal primarily in digital assets rather than fiat currency, creating unique accounting challenges.
  • Verify that the company uses appropriate methods to value cryptocurrency holdings and properly accounts for token-based compensation.
  • Your team should also check for outstanding debts, unpaid taxes, or deferred liabilities that transfer with ownership. Some loans may require immediate repayment or refinancing.

Tax obligations and liabilities

  • Crypto businesses face complex tax issues across jurisdictions, asset classifications, and evolving guidance. Request at least three years of tax returns covering income, sales, employment, and jurisdiction-specific requirements.
  • Verify proper accounting for cryptocurrency gains and losses, token-based compensation, staking rewards, and DeFi yields.
  • Many jurisdictions require detailed crypto transaction reporting and impose penalties for non-compliance. Check for tax notices or audits.

Products and token economics

  • Analyze the project’s token distribution, utility design, and economic incentives.
  • Request detailed tokenomics documentation covering supply schedules, vesting, burn mechanisms, and governance rights.
  • Assess if tokens have genuine ecosystem utility or mainly speculative value.
  • Identify supported blockchain networks and assess smart contract quality.
  • Determine if the project offers staking, lending, yield generation, or other DeFi features. Each carries risks in smart contract security, economic sustainability, and regulatory compliance.
  • Review whitepapers, technical documents, and development roadmaps.
  • Assess if the project meets its promises or overstates capabilities.
  • Compare usage metrics with marketing claims on adoption and community size.

Physical and digital assets

  • Inventory all equipment, servers, and physical infrastructure the business uses.
  • For projects running validator nodes or mining operations, evaluate the condition and replacement timeline for hardware.
  • Determine whether assets are owned outright or leased, and review maintenance records.
  • Beyond physical items, catalog the domain names, social media accounts, software licenses, cloud service subscriptions, and other digital assets.
  • Verify that custody solutions for cryptocurrency holdings meet institutional security standards, with proper key management, multi-signature requirements, and insurance coverage.
  • Determine if the project uses third-party custodians or self-custody. Self-custody risks arise if key holders leave or security lapses occur. Third-party custodians introduce counterparty risk but may offer better insurance and recovery options.

Operational presence and transparency

  • Identify locations of decision-makers, technical teams, and operational infrastructure. Projects incorporated in one jurisdiction but operated elsewhere may face regulatory issues.
  • Verify reliance on third-party service providers and their locations.
  • Verify transparency of beneficial ownership, financial reserves, and operational metrics.
  • Token issuers should publish regular reserve attestations and make wallets publicly viewable.
  • DeFi protocols must provide clear documentation of treasury management and spending.

Workforce and Benefits

  • Obtain a full list of employees, contractors, and service providers with compensation, roles, and contract terms. Web3 teams often include pseudonymous contributors, remote workers across countries, and token-based compensation that may not be tracked by traditional HR systems.
  • Verify compliance with employment taxes, workers’ compensation insurance, and benefits administration.
  • Check for claims of wrongful termination, discrimination, or harassment that may arise post-acquisition.
  • Review hiring procedures and assess if special qualifications or licenses are needed to employ certain team members.
  • Identify team members with critical knowledge and their likelihood to stay post-acquisition. In many Web3 projects, a few developers understand the entire codebase; their departure could cripple operations.
  • Consider if internal staff can manage operations or if external leadership is needed.

Data privacy and IT security

  • Web3 businesses collect substantial user data despite decentralization. Verify compliance with data protection laws such as GDPR for businesses serving European customers.
  • Review data handling, storage, and security measures.
  • Request IT security policy documents, including penetration test results, incident response, and disaster recovery plans.
  • For smart contract projects, obtain audit reports from reputable firms.
  • Verify bug bounty programs and responses to vulnerability disclosures.
  • Assess the technology stack for dependencies on third-party services or protocols.
  • Projects built on other DeFi protocols inherit their security risks.
  • Confirm monitoring systems detect and respond to attacks promptly.

Material contracts and partnerships

  • Review all significant agreements, including supplier contracts, partnerships, and service provider relationships.
  • Determine if contracts transfer with ownership or require renegotiation. Some may include change-of-control clauses allowing termination upon sale.
  • For Web3 projects, review agreements with exchanges for token listings, partnerships with protocols, and integrations with wallets or custody providers. These affect market access and utility.
  • Confirm that no hidden or informal agreements could impact post-acquisition operations.

Customer base and market position

  • Obtain lists of major customers or users by transaction volume and assess concentration risk.
  • Calculate customer lifetime value and retention.
  • For consumer platforms, evaluate engagement beyond wallet counts, as many addresses are inactive or bots.
  • Review customer service procedures, complaint handling, and refund policies.
  • Verify adequate support infrastructure and timely assistance.
  • Examine online reviews, social media sentiment, and community feedback to assess genuine satisfaction versus paid promotion.

Common warning signs

Several red flags warrant extra scrutiny or reconsideration of the acquisition, including:

  • Projects lacking basic documentation, proper licenses, or transparent wallet management pose serious risks.
  • Teams with abandoned projects, pseudonymous leadership, avoiding KYC, rushed timelines, and pressuring quick decisions warrant skepticism.
  • Tokenomics heavily favoring insiders, unrealistic yield promises, or reliance on fragile protocol relationships are warning signs.
  • Unaudited smart contracts, frequent security incidents, or reliance on upgradeable contracts granting developers excessive control are also red flags.
  • Past enforcement actions, operations in hostile jurisdictions, or acknowledgment that tokens may be securities raise concerns.
  • Inflated trading volumes, manipulated social media metrics, or concentrated token ownership by a few wallets require careful investigation.
  • Community warnings, developer departures, or declining on-chain activity often indicate deeper issues.

When to walk away

Some deals remain viable despite issues if priced properly or remediable post-acquisition. However, undisclosed regulatory investigations, material misrepresentations, or sanctioned transaction processing should end negotiations immediately.

Decline if the seller refuses requested information, pressures to skip crypto due diligence, or cannot prove legal ownership of key assets. Projects with fundamental smart contract flaws, unresolvable licensing issues, or governance-blocking token distributions rarely justify the risk. For example, if your team learns that significant revenues are fictitious or that the company’s products violate the law, you may need to renegotiate or exit.

Trust your judgment if something feels wrong. The Web3 space has seen many failures, so healthy skepticism benefits buyers. Better opportunities exist, and preserving capital outweighs rushing into risky acquisitions.

Share this post
jan strandberg
Jan Strandberg
February 17, 2026
5 min read

Related blog

Interviews, tips, guides, industry best practices, and news.
View all posts
Crypto Due Diligence Checklist
M&A
Business

Due Diligence Checklist for Acquiring Web3 Projects

Use this checklist to verify a Web3 project's claims and uncover hidden issues. Skipping due diligence risks overpayment or acquiring misrepresented assets.

jan strandberg
Jan Strandberg
February 17, 2026
5 min read
weekly newsletter

Weekly Deals: Multi-Chain Trading Platform + Lista DAO SAFT

This week, we briefly cover crypto M&A deals closed on January 2026 and the Digital Asset Market Clarity Act and its immediate effect in the industry.

jan strandberg
Jan Strandberg
February 4, 2026
5 min read
weekly newsletter
M&A

Year in Review: 2025 and the Road Ahead

We briefly look back at the Web3 M&A trends in 2025 & the macro-economic factors that affected deal activity & the crypto industry.

jan strandberg
Jan Strandberg
December 22, 2025
5 min read
what is sei blockchain
Blockchain

What is Sei Blockchain?

Sei is an open-source blockchain featuring parallel processing to enable fast trading, low latency, and cryptocurrency exchange-focused applications.

jan strandberg
Jan Strandberg
December 3, 2025
5 min read
weekly newsletter

Industry Pulse: Record M&A Activity and Strategic Expansion

This week, we briefly talk about Robinhood's acquisition of an Indonesian brokerage and Binance's global exchange license.

Jan Strandberg
December 12, 2025
5 min read
what is a Crypto Basket
Investment
Web3

What is a Crypto Basket and Its Purpose?

A crypto basket is a group of digital assets combined into one investment product. This post covers the different types and advantages of each one.

Jan Strandberg
Jan Strandberg
November 27, 2025
5 min read

Industry Pulse: Strategic Shifts in Crypto M&A

This week, we cover the shifting crypto M&A landscape and how firms are adjusting to regulatory and market pressures.

Jan Strandberg
November 18, 2025
5 min read
View all posts
acquire.fi logo
linkedin icon
discord icon
twitter icon
youtube icon
medium icon
telegram logo

Have queries? Reach out to us on the email below!

team@acquire.fi

DISCLAIMER: Acquire.Fi is the listing and advertising platform for Web3 businesses and does not certify or verify the information provided to the platform by the business owners. Acquire.Fi Ltd. (Acquire.Fi) does not hold itself out as providing any legal, financial or other advice. Acquire.Fi also does not make any recommendation or endorsement as to any investment, advisor or other service or product or to any material submitted by third parties to Acquire.Fi. Acquire.Fi is not a licensed crypto asset service provider for the purpose of EU regulation. The following list is compiled from Acquire Fi partners. Acquire.Fi is not a licensed crypto asset service provider for the purpose of EU regulation.

© 2024 Acquire.Fi | All rights reserved.