Estimated reading time: 12 minutes
Key Takeaways
- An anonymous whistleblower known as “DeepDelver” has accused Delve of creating 494 fake SOC 2 compliance reports.
- The scandal exploded when LiteLLM, a popular AI tool with Delve-issued security badges, was hacked by malware.
- Delve, a Y Combinator-backed startup valued at $300M, strongly denies all allegations of fabricating audit evidence.
- The whistleblower has released “receipts” including video evidence and Slack screenshots to support their claims.
- This scandal highlights the dangers of “security theater” and raises serious questions about vendor risk management in the startup ecosystem.
- Startups that used Delve face potential legal liability under HIPAA and GDPR if their compliance reports were fabricated.
Table of contents
Welcome to the HeyEveryone.io blog. I am Nikita Blanc, the founder of HeyEveryone. We spend our days helping startup founders fix the broken world of cold outreach. We know how hard startup fundraising is. You spend upwards of six months looking for the right investors, writing emails, and hoping for a reply. It takes real hard work, honesty, and trust to build a great startup.
But what happens when a wildly successful startup decides to fake that trust?
Today, we are talking about the most shocking news in the tech world this week. You might have seen the trending headline everywhere: Delve whistleblower strikes again, with alleged receipts about ‘fake compliance’.
This is a massive tech scandal. An insider at a very famous startup called Delve is exposing the company. They claim Delve is faking its security rules. The insider says they have proof – or “receipts” – that Delve was lying to everyone. This is a story about hackers, fake board meetings, and a massive loss of trust. Grab a seat, because this story is a wild ride!
The Timeline of the “Fake Compliance” Scandal
How did a high-flying tech company get into so much trouble so fast? Let us look at the timeline of events. It reads like a spy movie.
February to March 2026: The First Strike
It all started when an anonymous investigator appeared on the internet. They used the fake name “DeepDelver.” This mystery person wrote a huge blog post on Substack. They called it “Delve – Fake Compliance as a Service – Part I”. DeepDelver claimed that Delve was creating fake safety reports for hundreds of companies. We are talking about big safety rules like SOC 2, ISO 27001, HIPAA, and GDPR. The whistleblower said Delve made 494 fake SOC 2 reports.
March 21, 2026: The News Breaks
Around March 21, the big tech news sites caught the story. TechCrunch and other reporters shared the shocking claims. They wrote that Delve was accused by an anonymous source of tricking customers. The claim was that Delve made “false evidence of meetings, tests and processes that never took place.”
March 26, 2026: The Hackers Attack
Then, things got much worse. TechCrunch reported that two separate dramas crashed into each other. A very popular open-source AI tool called LiteLLM was hacked. The hackers used a nasty supply-chain malware attack.
Why does this matter for Delve? Because LiteLLM proudly showed off security badges on its website. Those badges (SOC 2 and ISO 27001) were given to them by Delve! This made everyone wonder: if LiteLLM had a top security badge from Delve, but got hacked so badly, was the badge even real? Read more on the LiteLLM connection here.
March 29, 2026: The CEO Fights Back
Delve’s founder and CEO, Karun Kaushik, decided he had enough. He went on X (which used to be Twitter) and wrote a very long post. He firmly denied that his company faked any audit evidence. He called the whistleblower’s claims “deceptive” and said they had “numerous false statements.” He also pointed out that independent auditors, not Delve, are the ones who give out the actual badges. You can see his public defense mentioned here.
March 30, 2026: The Whistleblower Returns
Just one day after the CEO defended his company, TechCrunch published a new update. The headline read: Delve whistleblower strikes again, with alleged receipts about ‘fake compliance’.
DeepDelver did not back down. Instead, they posted again, releasing what they called “receipts.” These receipts included video evidence and pictures of private Slack messages. The whistleblower also promised that more posts were coming soon.
Late March to Early April 2026: The Fallout Gets Worse
By late March, a whole website called dupedbydelve.com popped up. It claimed there were 494 fabricated compliance reports and named dozens of affected companies.
Security experts started writing about this everywhere. They talked about how this scandal showed a big problem with “security theater” and vendor risk. Finally, LiteLLM announced it was dropping Delve completely. They said they would look for new security badges from competitors like Vanta to distance themselves from the malware mess.
Who Exactly is Delve?
If you are a startup founder doing your own investor outreach, you might know how important a good reputation is. Delve had a great reputation.
Delve is a startup that uses AI to help companies get security badges fast. These badges include SOC 2, ISO 27001, HIPAA, and GDPR. Learn more about what Delve does here.
Their main pitch was very exciting. They advertised “agentic AI” and cool automation. They promised to collect evidence, organize controls, and help companies pass their safety audits much faster than the old, slow way. Read about their AI pitch here.
They were the golden child of the startup fundraising world. They went through the famous Y Combinator program (YC 2023/2024). See their YC background here. The company was started by 21-year-old dropouts from MIT.
Because they looked so good, investors gave them a lot of money. They raised a $3M seed round. Then, they raised a huge $32M Series A round led by a famous group called Insight Partners. This gave Delve a massive value of around $300M! Read about their funding here.
In the market, they were fighting against big players like Vanta, Drata, and Secureframe. But now, all of that success is in danger.
What is the “Fake Compliance” All About?
Let us dive into the core of the scandal. What exactly did DeepDelver find?
The main claim is shocking. The whistleblower says Delve hugely exaggerated or completely faked safety evidence for hundreds of its customers. Instead of making sure companies were actually safe, Delve was basically selling “fake compliance as a service.”
The Massive Scale of the Fraud
The numbers are huge. The whistleblower claims Delve helped make at least 494 fake SOC 2 reports. One report noted that 493 out of those 494 reports were almost exactly the same.
Many of these reports allegedly used the exact same generic text. They had the exact same weird phrases and spelling mistakes. The only things that were changed were the company names, logos, who worked there, and the signatures. Read the discussions about the copied text here.
What Does “Fake Evidence” Mean?
DeepDelver and other reporters say that Delve gave its clients “manufactured proof.” What did they fake?
- Board meetings that never even happened.
- Security tests and fire drills that were never done.
- Risk checks and policy reviews that never took place.
The blog posts say Delve was “supplying clients with ‘manufactured proof of non-existent board meetings, evaluations, and procedures.'” It also claims Delve “bypasses crucial framework stipulations while informing clients of complete compliance.”
Customers were apparently given a tough choice. They could either accept the fake, robot-made evidence and get their badges fast, or they could do the hard work manually. This manual choice had very little real AI help. This goes against everything Delve promised in their marketing. Read about the binary choice here.
Some news sites think Delve’s amazing “agentic AI” was just a trick. Instead of smart robots, it might have just been regular people using copy-and-paste templates to make fake certificates. Read about the AI doubts here.
The Problem With the Auditors
To get a safety badge, an outside referee called an auditor has to check your work. DeepDelver claims Delve had a sneaky plan for this, too.
The whistleblower says Delve pushed its clients to use two specific audit firms. These firms were named Accorp and Gradient. The claim is that these auditors relied way too much on the evidence Delve gave them. They acted like “rubber-stamp” operations instead of real, strict referees.
The story says these auditors were basically part of the same team, mostly based in India. They turned the rules upside down. A real auditor is supposed to ask hard questions and test your safety. But here, Delve would just write up a fake story, hand it over, and the auditor would sign it without checking. Read the auditor allegations here.
Huge Legal Danger for Startups
This is a nightmare for startup founders. If you use fake reports, you can get in huge trouble with the law.
DeepDelver warned that under strict rules like HIPAA and GDPR, companies that used fake Delve audits could face disaster. If a hacker steals their data, they have no real defense. This means they lose their GDPR Article 32 “appropriate technical measures” defense if their ISO 27001 badge is fake.
Worse, companies could face criminal charges under HIPAA and massive fines under GDPR for lying about being safe.
There is also a huge chain reaction. If 494 companies used Delve to show they are safe, and then big businesses hired those 494 companies, the fake safety rules spread everywhere. Every big company that accepted those fake reports brought danger into their own systems. Read about the vendor ecosystem danger here.
The New Receipts from TechCrunch
As the headline says, the Delve whistleblower strikes again, with alleged receipts about ‘fake compliance’.
After Delve’s CEO said the rumors were fake, DeepDelver hit back harder. They posted new things, including video evidence and screenshots of internal Slack messages. TechCrunch called these “alleged receipts” that directly go against what the CEO said. This makes the claim that Delve faked everything look much stronger.
DeepDelver is not done yet. They say more posts are coming. This means they will probably leak more secrets over time, instead of dropping everything at once.
What Does Delve Have to Say?
Delve is fighting for its life. The company strongly denies that it fakes any evidence for its customers.
Delve claims that its software just collects real data that the customers provide. They also say that independent, third-party auditors are the ones who give out the badges, not Delve. CEO Karun Kaushik says the Substack posts are “deceptive” and full of “numerous false statements.”
Delve also points out a sad truth: just because you have a safety badge does not mean you will never be hacked. They say they cannot promise a customer like LiteLLM will never get attacked just because they passed a test. Read Delve’s statement on incidents here.
Right now, the government has not charged Delve with any crimes. Delve has not admitted to doing anything wrong. But public opinion in the startup world is very bad. Many people now look at Delve as a perfect example of “security theater” and structural fraud.
The LiteLLM Hack: A Nightmare Becomes Real
We cannot talk about this story without looking closer at the LiteLLM disaster.
LiteLLM is a very popular open-source tool. It acts as a gateway connecting to over 100 different AI language models.
In March 2026, very bad hackers known as TeamPCP attacked LiteLLM. They infected versions 1.82.7 and 1.82.8 on the Python Package Index (PyPI). They hid a password-stealing virus inside a tiny file that runs the moment Python starts. Read how the hackers did it here.
This virus was terrible. It stole SSH keys, cloud passwords, and top-secret codes. It turned any computer that used LiteLLM into an “open book” for the hackers. Read about the stolen data here.
Before this hack, LiteLLM’s website proudly displayed Delve-issued SOC 2 and ISO 27001 badges.
After the attack, LiteLLM publicly fired Delve. They said they would get new badges from other companies like Vanta. They made it clear they did not trust Delve anymore. Read about LiteLLM firing Delve here.
Reporters quickly realized this was two huge scandals crashing together. First, a major AI tool was hacked. Second, the safety badges that said the tool was safe might have been faked by Delve.
This does not prove Delve caused the hack. But it completely destroys any trust people had in those safety badges.
What This Means for Startups Everywhere
This scandal is about more than just one company. It shows a huge risk for the entire startup world.
“Security Theater”
Many experts say that compliance is turning into a joke. People just want to check a box to get a badge. The Delve story is a textbook case of “security theater.” It looks nice on the outside with lots of paperwork and shiny logos, but there is no real safety on the inside.
Vendor Risk is Contagious
If one safety tool is lying, it hurts everyone. One bad company can ruin the trust of hundreds of startups. And those startups then pass that bad trust onto thousands of their own customers. Read about the cascading vendor risk here.
This is super scary for AI startups that handle very private data, like health records and secret business plans. Buyers often just look for a badge and do not ask hard questions.
What Should Startups Do Now?
If you are a founder and you used Delve, experts say you need to act fast. Get an independent re-audit of your safety rules. Do not rely on old Delve reports.
When you look at other companies, ask hard questions. Ask which audit firm gave them the badge. Verify if the auditor is real and has a good reputation. Check if the safety tests look real or if they look like copied-and-pasted text. Read more tips on verifying vendors here.
The Unknown Future
As of early April 2026, we still do not know everything.
We do not know if the government will sue Delve. We do not know if angry customers will start a class-action lawsuit.
We also do not know if every single receipt from the whistleblower is 100% real. TechCrunch takes this very seriously, but they still call them “alleged receipts.” Delve still fights back and says their audits are real.
But we do know that Delve is in big trouble. TechCrunch wrote another article saying the reputation of the troubled YC startup has gotten even worse.
Why Trust Matters
At HeyEveryone.io, we believe that trust is the most valuable thing a startup has. When you are doing your startup fundraising, investors need to believe in you. They need to know your numbers are real, your product works, and your safety rules are strict.
When you do investor outreach, you are making a promise. You are telling them that you are building something real. Faking your safety rules is the fastest way to destroy that trust forever.
At HeyEveryone, we use advanced AI to help you find the right investors. We automate the hard work of writing cold emails and following up. We save you time so you can focus on building a real, safe, and honest business. We do not believe in faking anything. We believe in using data to create real human connections.
The story of Delve is a warning for all of us. When you take shortcuts with trust, you eventually get caught. Stay honest, do the hard work, and build something you can truly be proud of.
Frequently Asked Questions
What exactly did the Delve whistleblower accuse the company of doing?
The whistleblower, known as “DeepDelver,” accused Delve of fabricating compliance evidence for hundreds of customers. This includes allegedly creating fake board meeting records, security tests, and policy reviews that never actually occurred, resulting in approximately 494 fake SOC 2 reports.
How is the LiteLLM hack connected to the Delve scandal?
LiteLLM, a popular open-source AI tool, was hacked in March 2026 despite having SOC 2 and ISO 27001 security badges issued by Delve. This raised serious questions about whether Delve’s compliance certifications were legitimate, especially since the hack occurred while LiteLLM displayed these Delve-certified badges on their website.
What are the “receipts” that the whistleblower provided?
The whistleblower released additional evidence including video footage and screenshots of internal Slack messages that allegedly contradict Delve’s CEO’s denials. These “receipts” were published after the CEO publicly defended the company, and the whistleblower has promised more revelations are coming.
What legal risks do startups face if they used Delve for compliance?
Startups that relied on potentially fabricated Delve audit reports could face criminal charges under HIPAA, massive fines under GDPR, and lose their legal defenses (like GDPR Article 32 protections) in the event of a data breach. They may also face liability for misrepresenting their security posture to customers and partners.
How has Delve responded to these allegations?
Delve’s CEO, Karun Kaushik, has strongly denied all allegations, calling the whistleblower’s claims “deceptive” with “numerous false statements.” The company maintains that independent third-party auditors, not Delve itself, issue the actual compliance certifications, and that their software only collects evidence that customers provide.
What should startups do if they used Delve for their compliance certifications?
Security experts recommend that any startup that used Delve should immediately seek an independent re-audit from a reputable third-party auditor. Companies should not rely on existing Delve reports and should be prepared to demonstrate genuine compliance to customers, partners, and regulators.
