Guanxing Wen
Decentralized Physical Infrastructure Networks (DePIN) are the latest Web3 hype machine — powering cloud phones, GPU edge nodes, and rendering clients that promise to reshape the internet and reward you in tokens while doing it. But behind all the buzzwords and blockchain dashboards, we found a whole lot of the same old IoT security sins — just with more centralization and a bigger attack surface.
This talk walks through our analysis of three leading DePIN platforms with thousands of globally deployed nodes and billions in market cap. Spoiler: one MQTT command can hijack 62,000+ GPU nodes into a mining botnet. Another lets you backdoor a user’s cloud phone via a backend config that nobody remembered was public. And a rendering client with a $2B market cap? One malicious link = remote shell. Fun times.
We’ll break down each exploit path — from BLE interfaces and path traversal to cloud service misconfigs and full remote compromise — with demos, technical details, and enough “wait, what?” moments to go around. This is the first public teardown of DePIN from the attacker’s perspective, and it paints a messy picture: centralized control, proprietary blobs, and zero disclosure processes hiding behind a token-incentive façade.
Decentralization sounds cool. But when your orchestrator pushes unsigned payloads to 60,000 nodes, it doesn’t matter how many tokens you’re holding. Without open code, real audits, and actual bug bounties, DePIN is sleepwalking into an IoT-style disaster — just with more crypto and bigger GPUs.
Bring your popcorn, and maybe cancel that DePIN investment.