The Delve Scandal: 494 Fake Audits, Stolen Code, and M From Y Combinator

Y Combinator. $32 million. Forbes 30 Under 30. Garry Tan calling you a top startup. Billboards in San Francisco, New York, Austin.

Then someone opened a spreadsheet.

The Setup

Karun Kaushik and Selin Kocalar, 21-year-old MIT dropouts, founded Delve through YC Winter 2024 . The pitch: SOC 2 certification in days, not months. AI-native, automated, no consultants.

January 2025: $3.3M seed from General Catalyst, FundersClub, and Soma Capital. July 2025: $32M Series A led by Insight Partners at a $300M valuation. December 2025: both founders named to the Forbes 30 Under 30 AI list .

YC President Garry Tan had amplified Kaushik's post in September 2025, calling Delve 'a top YC startup.' 175,000 views. Lovable, Brex, Anthropic, and Gusto reportedly among 1,700 customers.

A Spreadsheet Nobody Was Supposed to See

December 2025. A publicly accessible Google spreadsheet leaked. It contained confidential draft SOC 2 audit reports for hundreds of Delve clients, including private signatures and architectural diagrams.

CEO Karun Kaushik emailed clients: 'no external party gained access to any database.' Dissatisfied customers were not convinced. They started comparing notes.

493 Out of 494

On March 18, 2026 , an anonymous Substack writer called DeepDelver published Part I of their investigation. NYT reporter Erin Griffith amplified it. Hacker News hit 835 points in hours .

The number that traveled: 493 out of 494 SOC 2 reports were 99.8% identical. Same paragraphs. Same grammatical errors. The phrase 'An Endpoint Security Solution is installed with the feature of scanning...log reports are reviewed' appeared in 493 of 494 files.

The Type II reports all contained the same typo: 'because there no security incidents reported.' Word 'is' missing. Verbatim, across hundreds of companies. Four controls marked untestable in every single Type II report; identical wording, identical reason, zero exceptions across 259 companies. Statistically impossible.

Test values inside the reports: sdf, g, dlkjf. Keyboard mash. Appearing identically across unrelated clients. These were not drafts. These were the final deliverables.

The auditor conclusions were written before any evidence was submitted. Clients who had never completed onboarding found pre-populated board minutes, security tests, and penetration testing results waiting for them. One click to adopt all of it. None of it had happened.

Every Delve sales call, probably.

The Auditors Were Fake Too

Delve marketed 'US-based CPA firms.' DeepDelver traced them to Indian certification mills: Accorp, Gradient, Glocert, DKPC, Accorian, BQC Assessment. All operating through US mailbox addresses. One report kept the wrong firm ID on a different cover page. Nobody caught it.

ISO 27001 certificates lacked accreditation from any government-recognized body. Delve leadership was generating auditor assessments themselves, directly violating AICPA independence rules. The initial quote was $15,000 for SOC 2. Mention a competitor, price drops to $6,000; including ISO 27001 and a claimed 200-hour penetration test. Economically impossible.

The Internet Reacts

The main Hacker News thread reached 835 points and 295 comments. Security researcher tptacek wrote: 'The damage this will do to the reputation of the SOC2 Security Attestation is incalculable.' He added: 'SOC2 is a sales-enablement tool' and 'practically nobody actually reads SOC2 reports; they just check the box.'

patio11 called the CEO's public response a 'non-denial denial.' He went deeper on the Complex Systems Podcast , calling Delve's product 'Potemkin compliance' and the behavior 'fraud, not the sort of benign rule-breaking celebrated in startup culture.' His line: 'Every regulation is written in blood.' The controls exist because real failures demanded them.

HN moderator dang addressed suppression concerns. The thread had triggered voting ring detection; he confirmed manual review and front page placement. He noted HN moderates 'less, not more' on YC-related stories, per pg's original directive.

A separate thread asked directly: 'Did Delve Commit Securities Fraud?' The question was about representations made to investors during the Series A fundraising period. No formal SEC action has followed.

@ohryansbelt published a detailed Twitter thread summarizing the investigation. Gergely Orosz called it 'going from very bad to beyond very bad.' @barrald observed : 'there's something truly sublime about cluely being scammed on their SOC 2.' On Teamblind , a thread titled 'Delve, a YC startup valued at $300M, has been committing widespread fraud' saw heavy traffic.

The CEO Responds

Delve published a blog post : 'Delve does not issue compliance reports. Final reports and opinions are issued solely by independent, licensed auditors, not Delve.' And: 'These are starting points only: customers are responsible for reviewing, modifying, and finalizing their own materials.'

Kaushik emailed partners directly, calling the DeepDelver report 'falsified claims from an AI-generated bot.'

patio11's observation: the statement confirms the core allegations while disclaiming all liability. A textbook non-denial denial.

Insight Partners Deleted Their Post

Insight Partners, which led the $32M Series A, quietly scrubbed its investment blog post about Delve from its website. For a major VC to delete public investment commentary is extremely unusual. Delve simultaneously disabled its book-a-demo button.

Lovable, cited in Delve marketing materials as a marquee customer valued at $6.6B, publicly disavowed: 'Lovable is not a Delve customer.' The company confirmed it had moved to Vanta in late 2025, before the scandal broke.

Compliance Theater Meets Real Malware

LiteLLM is an open-source AI gateway with 3.4 million daily downloads and 97 million total downloads. It had obtained SOC 2 via Delve in under 60 days, versus the typical 6 to 12 month timeline.

In late March, LiteLLM's open-source version was hit with credential-harvesting malware injected through a dependency. The irony was not lost on anyone. Inc. Magazine covered it : 'Malware in an open-source project could have infected thousands. The twist: it was certified by Delve.'

A second HN thread titled '97M downloads, $0 real auditing: LiteLLM's SOC 2 was one of 533 fake reports' reached 124 points. The community had indexed the leaked spreadsheet against known Delve customers: 533 reports, 455 companies, 99.8% identical.

LiteLLM CTO Ishaan Jaffer announced the company would redo all certifications with Vanta and an independent third-party auditor. By March 30, they had publicly dropped Delve.

And Then It Got Worse

DeepDelver's Part II arrived March 30. New allegation: Delve's no-code workflow tool 'Pathways,' sold to enterprises at $50,000 to $200,000+, was a lightly modified fork of SimStudio, the open-source product from fellow YC company Sim.ai . The Apache License requires crediting the original developer. Delve gave none.

Internal tickets described porting specific SimStudio folders: Blocks, Components, Executor, Tools. Delve contracted a Bangladeshi dev shop for maintenance rather than building internally. When asked, they claimed they 'built it from the ground up.'

On April 24, 2025, Kaushik had gotten on a sales call with Sim.ai CEO Emir Karabeg. Offered him a compliance package. Rejected Karabeg's licensing proposal, citing 'insufficient ROI.' Then sold Karabeg's own product to Notion, Brex, Anthropic, and Gusto.

Karabeg told TechCrunch: 'I did not know they were going to sell it out of the box as a standalone solution.' No licensing agreement existed. Sim.ai was simultaneously a paying Delve customer; $15,000 for SOC 2 and HIPAA compliance that was also allegedly fake.

Gergely Orosz summed it up : 'Apparently Delve's founders were so shameless that they 1. Charged a fellow YC company (Sim) their full fee for auditing (that turned out to be fake) 2. Then ripped off Sim's IP, and sold it to customers for $$'

The Delve business model, visualized.

Where Things Stand

Pathways has been scrubbed from Delve's website. Demos remain halted. Delve's media inquiry email no longer works. DeepDelver titled Part II 'Day 2 of 5.' More is coming.

No formal regulatory action as of early April. No AICPA ruling, no SEC investigation, no HIPAA enforcement. The entire exposure came from an anonymous Substack writer and a handful of reporters.

1,700 companies paid for security certifications. Many process patient data daily. They may carry legal liability they believed they had covered. HIPAA violations for willful neglect carry criminal charges. GDPR fines reach 4% of global annual revenue.

Compliance theater is not new. Delve automated it, charged for it, and raised $32 million doing so. The GRC market is worth $1.3 billion, growing at 53% per year. There will be more Delves.

Sources

• DeepDelver, Fake Compliance as a Service, Part I
• DeepDelver, Part II Day 1
• DeepDelver, Part II Day 2
• TechCrunch, Delve accused of misleading customers, March 22, 2026
• TechCrunch, Insight Partners scrubs investment post, March 23, 2026
• TechCrunch, LiteLLM and Delve, March 26, 2026
• TechCrunch, Whistleblower receipts, March 30, 2026
• TechCrunch, Delve reputation worsens, April 1, 2026
• Inc. Magazine, The Delve Scandal
• Inc. Magazine, LiteLLM malware and Delve
• Hacker News thread, 835 points, 295 comments
• Hacker News, We indexed the Delve audit leak, 124 points
• Hacker News, Did Delve Commit Securities Fraud?
• Complex Systems Podcast, patio11 on Delve
• @ohryansbelt Twitter thread
• Gergely Orosz tweet
• Teamblind thread
• Delve official response