Delve sold fake compliance then called the whistleblower a hacker

Delve was a Y Combinator startup that sold security compliance to other firms. It hit a $300 million value by promising audits in days, not months. Then an anonymous group called DeepDelver showed the audits were mostly fake. The founders hit back by calling the source a hacker.

What did Delve sell, and what went wrong?

Delve sold software that helps a company pass a security audit. The main one is SOC 2. It's a report a vendor shows customers to prove it keeps their data safe. The normal process takes six to twelve months. Delve promised the same result in days. AI agents would gather the proof and write the paperwork. That speed was the whole pitch.

The company came out of Y Combinator and grew fast. Its founders were Karun Kaushik and Selin Kocalar, both MIT dropouts in their early twenties, and both on the Forbes 30 Under 30 list. They raised about $35 million, including a Series A led by Insight Partners, and reached a $300 million value. Delve's own site still says it is "trusted by 1,500+ of the fastest-growing companies." It says its AI agents "take screenshots, write reports, and perform validation of your evidence for you."

Delve sold compliance "in days." Screenshot of delve.co.

That last line is the problem. An audit only means something if a real person checks the evidence. If a machine writes the report and a stamp signs it, the customer buys a document, not safety. The pitch that made Delve fast is the pitch that made the audits hollow. A compliance firm had quietly turned compliance into a copy job.

Why did no one push back on a five-day audit? Because the speed was the point. Customers wanted the badge to close deals. Investors wanted growth. The auditors got paid either way. Everyone in the chain had a reason not to ask how it was really done. So nobody asked.

What the anonymous critics found

In March 2026, an anonymous group writing as DeepDelver published an investigation. It was built on a leaked internal spreadsheet. The members were former customers who compared notes. Their numbers were hard to wave away. Of 494 SOC 2 reports, 493 used the same boilerplate text. Only the company name and logo changed. It read less like auditing and more like find-and-replace.

• All 259 Type II reports carried the same word-for-word auditor conclusion.
• The same typo, "Because there no security incidents reported," missing the word "is," showed up in all 259.
• One report still held a pasted product blurb: "Cluely is a desktop AI assistant to give you answers in real-time."
• In 259 unrelated companies, the test data was the same keyboard mash, "sdf, g, dlkjf."
• Auditor conclusions were written before clients had handed over any evidence.

Delve's own pitch: AI agents that "write reports" and "perform validation of your evidence." Screenshot of delve.co.

DeepDelver said the auditors Delve marketed as US firms traced back to overseas shops using virtual addresses. The group's tone was disbelief, not anger. They said they were "baffled by the laziness, clumsiness and brazenness of it." Delve, they wrote, hit its claim of being the fastest platform "by producing fake evidence." If that's true, the fallout is wide. Hundreds of firms told their own customers they were safe. The proof was a report nobody really wrote.

The price had been a quiet clue all along. Some Delve audits reportedly cost only a few thousand dollars. A real SOC 2 audit takes an expert many hours, so that figure never added up. At least one security chief later said the cheap rate had bothered him for months before the leak. The market wanted to believe the bargain anyway.

How Delve answered the accusations

Delve pushed back hard. It said it does not issue audits at all. It only runs an automation platform. "Final reports and opinions are issued solely by independent, licensed auditors, not Delve," the company said. Draft templates, it argued, are not pre-filled evidence. On April 4, the founders posted a video. It drew nearly 5 million views.

The video is worth watching for how it shifts. It opens as an apology, then turns on the source. The founders say sorry for the "inconveniences." They promise a new auditor network and free re-audits. Then they reframe the story as a crime done to them, not by them.

That said, we grew too fast and fell short of our own standard. To our customers, we deeply apologize for the inconveniences caused. [...] The evidence we have points to a targeted cyberattack from a malicious actor, not a "whistleblower."

- Karun Kaushik (@karunkaushik_) April 4, 2026

Read that again. The person who exposed the problem becomes "a malicious actor." Delve says this actor "purchased Delve under false pretenses" and "exfiltrated internal company data." This is the oldest move there is. When you can't deny the documents, you attack the messenger. Maybe a login really was misused. Even so, calling a whistleblower a hacker sends one message to every employee watching. Speak up about us, and we'll come after you. An EU advisory body showed the same instinct when it secretly hunted the anonymous source behind corruption complaints against its own leadership.

Why the people who knew stayed anonymous

One detail gets lost in the rest of the coverage. No Delve employee put a name to this. The report came from outside, from customers who pooled what they'd seen. They stayed faceless on purpose. They were up against a well-funded, lawyer-equipped startup. They judged that a name would cost them. The CEO's "hacker" reply showed they were right.

That inside silence is the real warning. Plenty of people at Delve must have known. They saw the identical reports, the gibberish test data, the typo on every copy. None of them had a safe way to say so. There was no trusted channel to take a worker's concern, hide their name, and force a real look. So the truth took the long way around. It came through anonymous outsiders, months after the first signs.

A confidential reporting channel exists for this exact moment. It lets one worried engineer flag a problem without betting their job on it. The point isn't paperwork. An early, protected report can stop a small rot before it becomes a $300 million one. Delve had the evidence in plain sight. It had no one inside who felt safe enough to pull the alarm.

US law does protect some whistleblowers from payback. But a law on paper is cold comfort against a lawsuit and a public "hacker" label. Most people weigh that risk and stay quiet. That is why the channel matters more than the statute. A worker needs a safe route first, or the right to report never gets used.

The fallout reached Y Combinator, Insight Partners, and a courtroom

The video did not save the company. Within days, Y Combinator removed Delve from its directory and asked the founders to leave the program. That's a rare public break with one of its own. Insight Partners briefly pulled its investment write-up offline. The timeline below shows how fast a leaked spreadsheet became a full crisis.

A second DeepDelver post went further than sloppy audits. It accused Delve of taking a rival YC startup's open-source code and reselling it as its own product. That claim shifted the story from cut corners to theft. For many onlookers, that was the moment sympathy turned into anger.

The legal exposure spread from Delve to its customers. A class action in federal court in California named the company over "sham security audits." Every firm that had shown a Delve report to its clients now had a problem. Their security promise might not hold. The accounting profession moved too. The AICPA's peer review body told reviewers to flag identical risk assessments and testing across different clients.

Public reaction sat between fury and dark comedy. One widely shared post caught the mood. Faking the audits was bad but survivable, it said, while stealing another startup's code "crosses the line." Under the jokes was a real fear. If a Y Combinator company with brand-name investors could ship hundreds of hollow audits, how much of the compliance market rests on documents nobody reads?

Why a SOC 2 stamp stopped meaning anything here

The deeper lesson is about trust, not one startup. A SOC 2 report works because the buyer assumes someone independent did the checking. Delve's critics say that assumption is the weak point. Almost no one reads past the cover page. Clarence Chio, who runs the compliance firm Coverbase, put the fix plainly.

"The question 'Does this vendor have a SOC 2?' was always the wrong question. The right question is 'Does this vendor actually do what their SOC 2 claims?'"
Clarence Chio, CEO of Coverbase

That gap, between holding a certificate and earning it, sits under famous accounting collapses. Enron's auditor Arthur Andersen signed off on fiction. WorldCom hid billions. Theranos sold a product that never worked. Each time, a number the public trusted turned out to be staged. Delve just moved the trick from a balance sheet to a security badge.

Delve's site footer, after the scandal broke: "Spoiler: we passed our audits." Screenshot of delve.co.

Compliance you cannot verify is not compliance. A fast audit that skips the checking is worse than no audit. It sells false calm to the very customers it should protect. The firms that bought Delve's speed are now learning a stamp is only as honest as the process behind it.

What's missing from the whole story is the safe path that never existed. The fraud was visible from inside long before any outsider pieced it together. A worker with a secure, anonymous way to report, and real protection from payback, could have surfaced it in week one. Instead it surfaced after the value, the customers, and the trust were already gone. Whistleblowing software like WeMoral exists to give that worker a door that doesn't lead straight back to a "hacker" accusation. Delve is what happens when nobody has one.