← Back to stories Close-up view of HTML and CSS code displayed on a computer screen, ideal for programming and technology themes.
Photo by Bibek ghosh on Pexels
虎嗅 2026-04-06

The “death” of YC star Delve: expelled after allegations of fake SOC 2 audits and stolen code

What happened

Y Combinator (YC) has quietly scrubbed Delve — a W24 batch standout — from its startup directory, after what it has been reported that an anonymous Substack post and subsequent media probing accused the company of systemic fraud and intellectual‑property theft. Delve marketed an automated SOC 2 compliance product that promised to compress a months‑long, costly audit into weeks, and a no‑code workflow product Pathways that reportedly sold for $50k–$200k per customer. The startup had been publicly cheered by YC partner Garry Tan and reportedly attracted a lead investment from Insight Partners on a valuation around $300 million and more than 1,000 paying customers, according to reporting by Huxiu (虎嗅).

The allegations

It has been reported that an anonymous account called DeepDelver posted a long exposé titled “Fake Compliance as a Service,” claiming Delve’s SOC 2 reports were not independently performed by U.S. CPA firms but internally generated and rubber‑stamped by an Indian certification vendor — with 493 reports allegedly 99.8% identical apart from client names. It has also been reported that Pathways was largely forked from SimStudio, an open‑source product from YC‑backed Sim.ai: according to the accounts, Delve first became a customer, gained code access, removed attribution and sold the fork as its own. TechCrunch began following the thread; Insight Partners reportedly removed portfolio posts referencing Delve. These are serious allegations — if true, customers who relied on Delve’s compliance paperwork could face HIPAA criminal exposure and GDPR penalties, and individuals implicated could face federal prosecutions.

Fallout and why it matters

YC’s internal response was swift and public within its own walls: Garry Tan reportedly posted on Bookface that “We have asked Delve to leave YC,” and Delve’s directory listing was removed. The saga has reopened a tougher, older debate: how much of Silicon Valley’s “move fast, break things” ethos tolerates deception until exposure? Some commentators point out a paradox — fraud aimed at outsiders can sometimes be tolerated, but stealing from fellow YC companies is treated as the gravest sin. A high‑voted Hacker News comment put it bluntly: “Looks like fraud is okay at YC but you can't screw other YC companies.” The episode underscores not just potential legal risk for a single startup but the limits of high‑trust accelerator networks when enforcement and secrecy collide.

AI
View original source →