We Investigated 12 Hackathons Across $4M+ in Prizes. None Protect Submissions.
12 events audited. 6 infrastructure gaps mapped. 8 real cases of plagiarism, IP seizure, and unfair judging documented — all publicly sourced and independently verified.
At a hackathon last year, a team presented a pitch in the first round. Two weeks later, another team — with access to the same judging pool — submitted a suspiciously similar concept. There was no audit trail. No access logs. No way to prove who saw what and when.
The team that built the original idea had no recourse. The team that may have copied it faced no scrutiny. And the organizer had no tools to investigate even if they wanted to.
We thought this was an edge case. Then we investigated 12 hackathons across 4 continents — and found it's the default.
Methodology: Between January and February 2026, we reviewed public submission processes, event rules, judging structures, and social media reports for 12 hackathon events. We also investigated 8 documented cases of submission security failures from 2025 to February 2026. We examined platform documentation (DevPost, Devfolio, DoraHacks, TAIKAI), event-specific rules pages, public GitHub repositories, court records, and first-hand accounts from participants. All findings are independently verifiable through the sources linked throughout this article.
Requests for comment: All organizations featured were contacted prior to publication. ETHGlobal CEO Kartik Talwar responded with detailed comments, noting that teams are informed which judges evaluated their submissions, that timestamps exist on all submissions (server-side, not blockchain), that disputes are handled via email and support channels, and that across 15,000+ project submissions since 2017 there have been no public complaints regarding accountability. His full position is reflected in the ETHGlobal audit section below. Avalanche Foundation, BNB Chain (via DoraHacks), Chainlink, Web3Privacy Now, and TCS did not respond. SuperteamIN and CRED responded to their respective incidents publicly (documented in Cases 2 and 3).
This isn't an edge case. This is the default.
Every major hackathon platform — DevPost, Devfolio, DoraHacks, TAIKAI — focuses on event logistics. None of them protect the work being submitted.
Why This Matters Beyond Prizes
Hackathons are not just competitions — they are the primary entry point into Web3. The pipeline is well-documented: a developer attends a hackathon, builds a first project, gets noticed by a protocol team, receives a grant, and launches what becomes real infrastructure. Uniswap, Filecoin, ENS, and dozens of major protocols started as hackathon submissions.
When submission security fails, it doesn't just affect one team — it poisons the pipeline. A developer who gets plagiarized at their first hackathon doesn't come back. A builder who sees prizes go to copied projects stops building. The ecosystem loses its next wave of contributors — not to a competitor, but to disillusionment.
This isn't about protecting prize money. It's about protecting the mechanism that produces the next generation of Web3 builders. If hackathons lose credibility, the entire ecosystem's talent pipeline breaks.
The Scale of the Problem
In 2025 alone, ETHGlobal — the largest Ethereum hackathon organizer — ran events across 5 continents, awarding over $2 million in total prizes to 10,000+ developers. Single-event prize pools now exceed $1 million (ETHDenver, Avalanche Build Games, Hedera).
Corporate hackathons are even larger — TCS ran an AI hackathon with 281,000 participants across 58 countries, where submissions were evaluated for commercial integration.
And yet, every major hackathon platform focuses on the same thing: registration, team formation, judging forms. No access logging. No chain-of-custody for shared materials. No formal dispute resolution. No audit trail.
Part I: The Infrastructure Gap — 6 Major Hackathons Audited
We started by auditing the submission security of 6 major hackathon programs — from the largest Ethereum events to corporate competitions. To be clear: these are not accusations. These are observations about publicly documented processes. Every organizer listed below runs a legitimate, well-intentioned event. The gap isn't incompetence — it's the absence of infrastructure that doesn't exist yet.
- No independently verifiable record of judge-submission assignments
- All submissions publicly visible before and during judging
- No published dispute resolution process with defined timelines
- No blockchain timestamps on submissions
- 6-week window with ideas exposed, no audit trail
- No submission access logging
- "Long-Term Intent" assessed with no verification
- No audit trail for judge access to submissions
- Community voting vulnerable to whale manipulation
- No dispute resolution process
- Public GitHub repos — visible before judging
- Privacy track with no submission privacy
- Submissions via Airtable form
- No IP chain-of-custody for commercial products
- No audit trail at enterprise standards
- Regulatory risk with AI-evaluated submissions
- Public PRs expose all ideas before evaluation
- Privacy-focused event with zero submission privacy
- No access logging or audit trail
The Gap, Summarized
Note: This table compares hackathon platforms — services that multiple organizers use to host events (DevPost, Devfolio, DoraHacks, TAIKAI). Event organizers like ETHGlobal use their own proprietary submission system and are assessed separately in the audit cards above.
| Protection Layer | DevPost | Devfolio | DoraHacks | TAIKAI | Any? |
|---|---|---|---|---|---|
| Submission upload | Yes | Yes | Yes | Yes | Yes |
| Access logging | No | No | No | No | No |
| Blockchain timestamps | No | No | Partial | Partial | No |
| Judge audit trail | No | No | No | No | No |
| Dispute resolution | No | No | No | No | No |
| IP protection | No | No | No | No | No |
Every platform handles the logistics. Zero platforms handle the integrity.
Part II: It's Already Happening — 6 Documented Cases (2025–2026)
The gaps above aren't theoretical. We investigated 6 hackathon events where the absence of submission security led to real harm — plagiarism, IP seizure, unfair disqualification, biased judging, and censorship. All cases are from 2025–2026 and publicly documented with sources.
A team built KagamiAI at ETHGlobal New Delhi in September 2025, where it was selected as one of 10 finalists out of 616 projects. The team worked the entire weekend and collected real user feedback.
Shortly after, another participant copied the entire project — the code, the application, and even the demo video (which included the voice of one of the original team members) — and submitted it to a different hackathon (HackQuest).
The original team documented everything publicly and called for HackQuest to remove the fraudulent submission.
Developer Shubh built getblink.fun — a no-code platform for creating Solana Blinks (193 commits, created August 2024). He applied for a SuperteamIN grant twice and was rejected both times, then closed the project due to costs.
Another developer, who had previously DM'd Shubh asking for help and received a link to the repository “to learn from,” copied the entire codebase line-by-line, renamed it “Blinker,” and won a SuperteamEarn grant.
When confronted with side-by-side code comparisons, the copier blocked the original author and deleted everything — their account, website, and repository. SuperteamIN acknowledged the report and began an investigation into the incident.
CRED, the Indian fintech company founded by Kunal Shah, announced the Rabbit Hole AI Hackathon with a ₹50 lakh (~$60,000) prize. The original terms stated that all intellectual property rights in submissions “shall be deemed to be work for hire” and that CRED would own everything built during the event.
The backlash was immediate and massive. Developer Aditya Oberai's post calling it “a masterclass in how NOT to organize a hackathon” received over 1,100 likes. An IP lawyer warned participants that the terms amounted to “shrewdly asking you to give your idea, build it for them, and give you nothing in return.”
Additional complaints emerged: CRED required “Login with CRED” for registration (unrelated to the hackathon) and ran credit score checks on applicants without clear disclosure.
Kunal Shah responded within 24 hours: “Fair call outs on IP. Shouldn't have been there to start with. Dropping it.” The terms were revised to state: “Participants shall own all rights in their respective submissions.”
During Devconnect Buenos Aires in November 2025, two separate hackathons ran in the same city. ETHGlobal's event (475 projects, $500,000 in prizes) paid all winners on time with no public disputes. Meanwhile, Ethereum Argentina's “Tierra de Buidlers” hackathon on TAIKAI (~355 participants, ~$30,000 in prizes) had a different outcome.
At the Ethereum Argentina hackathon, a team built two separate projects in different repositories with independent commit histories. One team member started solo, then a second joined. Both projects were approved, went through judging, and one won a prize.
In February 2026 — over two months later — the team was disqualified for “farming” and “shared codebase” — without any technical comparison of the code being provided as evidence.
When the team requested proof — a diff, a commit analysis, anything showing their codebases were shared — none was provided. The team was subsequently blocked from communication.
The contrast is instructive: at the same Devconnect, one organizer (ETHGlobal) ran a transparent process at scale and paid winners without incident; the other (Ethereum Argentina) disqualified a winning team months later without providing technical evidence.
The Bolt hackathon — billed as “the world's largest hackathon” with 130,000+ registered builders and over $1 million in prizes — faced detailed criticism on Hacker News:
17 out of 20 main prizes went to projects from the US, Canada, and EU — despite those regions representing only ~25% of participants. At least one winner submitted a project with no working demo — only localhost screenshots and what critics described as an “AI-generated video.” Another winner reportedly did not submit a deployed URL, despite hosted URLs being explicitly required by the rules.
When participants raised concerns, Bolt moderated them off Reddit and Discord and blocked critics from posting.
Multiple participants independently corroborated the complaints, noting their fully functional, deployed projects lost to submissions with non-working demos.
At a 48-hour hackathon organized by Geethanjali College of Engineering and Technology in March 2025, external participants paid ₹450 per person to attend and built fully functional projects.
All 6 prizes — 2 in each of the 3 categories (AI/ML, IoT, Open Innovation) — went exclusively to teams from the host college. Participants reported that several winning projects were “GPT-paste” with no understanding of the underlying code, and one IoT category winner's project did not function at all.
When external teams raised complaints in the event's group chat, organizers deleted posting permissions and ignored all further communication.
Part III: The Pattern Repeats — 2 More Cases (2025)
The cases above aren't isolated to elite events. The same structural failures repeat at every level — from college hackathons to cross-platform farming schemes.
At HackWithUttarPradesh, hosted by Chandigarh University in November 2025, an external participant reported:
• No food provided despite promises
• Participants slept in corridors
• Biased judging favoring internal teams
• External teams completely ignored during evaluation
• Overall experience described as “a college promo, not a hackathon”
The pattern is identical to Case 6 (Geethanjali College) — host institution takes all prizes, external participants are treated as extras.
In December 2025, a community member documented that well-known crypto community leaders were “going from hackathon to hackathon, submitting the same project repeatedly without any shame whatsoever” — tagging ETHIndia, Devfolio, and other events.
No platform checks whether a submission has already won elsewhere. No cross-platform verification exists. The same codebase, the same demo, the same pitch — different prize pools.
The Pattern
These aren't isolated incidents. They're 8 symptoms of the same structural gap — spanning every category of hackathon from college events to $1M+ competitions:
| Case | Type |
|---|---|
| KagamiAI (ETHGlobal → HackQuest) | Project plagiarism |
| getblink.fun (SuperteamIN) | Code theft |
| CRED Rabbit Hole | IP rights seizure |
| Ethereum Argentina (Devconnect Buenos Aires) | Unjust disqualification |
| Bolt Hackathon | Biased judging + censorship |
| Geethanjali College | Conflict of interest |
| HackWithUttarPradesh | Biased judging |
| Cross-platform farming | Multi-event fraud |
Not Everyone Ignores the Problem
Two organizations in our investigation responded to integrity failures with concrete action. SuperteamIN (Case 2) acknowledged the plagiarism report and began an investigation; the copier subsequently deleted their account, website, and repository. CRED (Case 3) reversed predatory IP terms within 24 hours of public backlash. These responses show that when organizations take integrity seriously, the system can self-correct — but only when problems become public. The question is: why wait for a public incident when preventive infrastructure exists?
The Legal Perspective
IP law professionals have already flagged hackathon submission security as a growing concern. In the CRED Rabbit Hole case, an IP lawyer publicly warned that the hackathon's terms amounted to participants building for the organizer for free — a risk most participants never consider. The March 2025 Marseille court ruling accepting blockchain timestamps as valid copyright evidence establishes the legal framework: the tools for IP protection exist and courts recognize them. The gap is adoption, not technology.
Why This Is Getting Worse, Not Better
In February 2026, Changpeng Zhao (CZ) warned that the absence of privacy “may be the missing link for crypto payments adoption” — pointing out that on-chain transactions expose who pays whom and how much. The same logic applies to hackathons: when submissions, judge assignments, and scores sit on platforms with no access controls, the process is transparent in the worst sense — visible to anyone who wants to exploit it, invisible to anyone who wants to audit it.
The same week, Vitalik Buterin outlined a vision for cryptographic verification as default infrastructure — including “security deposits with onchain dispute resolution,” “ZK privacy-preserving payments and reputation,” and a principle he’s been advocating for years: “don’t trust; verify everything.” In a separate post, he endorsed a model that replaces identity with stake — where participants deposit a bond, act anonymously, and face slashing if they abuse the system.
When the founders of the two largest blockchain ecosystems are independently saying that privacy-preserving verification needs to be built into infrastructure — not bolted on after — the absence of these protections in hackathon submissions becomes more conspicuous, not less. The technology exists. The demand is being articulated at the highest levels. The gap is adoption.
The best defense is not secrecy. It's evidence.
Record everything. Trust timestamps. Blockchain doesn't lie.
The problem is documented. The solutions are known. What's missing is adoption.
Sources
- ETHGlobal Events: ethglobal.com/events
- ETHGlobal New Delhi 2025 Finalists (KagamiAI): x.com/ETHGlobal/status/1972276802270925116
- KagamiAI Plagiarism Thread: x.com/kararsweta/status/1976620328832094629
- KagamiAI Evidence Post: x.com/SoumikBaksi/status/1976615890042118231
- getblink.fun Original Repository: github.com/shubhiscoding/getblink.fun
- getblink.fun Code Theft Thread: x.com/LookWhatIbuild/status/1977478395022950907
- CRED Rabbit Hole IP Backlash: x.com/adityaoberai1/status/1902613859023847892
- CRED Rabbit Hole — OfficeChai Coverage (incl. Kunal Shah response): officechai.com
- Ethereum Argentina (Devconnect Buenos Aires) Disqualification Thread: x.com/CaptainCodeOnX/status/2021551261435429190
- Bolt Hackathon Fairness Discussion (Hacker News): news.ycombinator.com/item?id=44702465
- Bolt Hackathon Criticism: x.com/0xPaulius/status/1949427171769934070
- Geethanjali College Hackathon Bias Thread: x.com/mani_yadla_/status/1904515471430566362
- HackWithUttarPradesh — Biased Judging: x.com/AvAwasthi/status/1985223392015056964
- Cross-Platform Project Farming: x.com/_KxrMa_G/status/2002047507308982565
- Marseille Court — Blockchain as Legal Evidence: euipo.europa.eu
- Goodwin Law — France Blockchain Timestamping: goodwinlaw.com
- TCS AI Hackathon (281,000 participants): tcs.com
- Avalanche Build Games ($1M prize pool): build.avax.network/build-games
- Web3Privacy Now — Berlin Hackathon Submissions: github.com/web3privacy/hackathon-2025-berlin-submissions
- CZ on Privacy as the Missing Link for Crypto Adoption (Feb 15, 2026): x.com/cz_binance/status/2023016538677371079
- Vitalik Buterin — AI + Ethereum: Security Deposits, Onchain Dispute Resolution, ZK Privacy (Feb 9, 2026): x.com/VitalikButerin/status/2020963864175657102
- Vitalik Buterin — ZK Privacy-Preserving Reputation (Feb 11, 2026): x.com/VitalikButerin/status/2021594878162157948
- Vitalik Buterin / Davide Crapis — Replace Identity with Stake (Feb 11, 2026): x.com/VitalikButerin/status/2021586150973206827
Had your project copied? Faced unfair judging? Disqualified without proof?
Your story — even anonymous — becomes part of the evidence.
All submissions are reviewed by our research team. Anonymous reports are never attributed without explicit consent.