I'm getting the impression that a lot of people in this thread think this is because they violated an open-source license and saying things to the effect of, "they're just the ones who got caught". I also thought that was the scandal initially. (And when it comes to license violations, yes, there's absolutely more where that came from.)
But that's just the cherry on top. I don't think they're being thrown out because they violated a license. There are really serious fraud allegations. Allegedly they were rubber-stamping noncompliant customers, leaving them exposed to potential criminal liability under regulations like HIPPA.
YC has no problem with morally questionable behavior, many YC startups do things that are just as shady. YC is, ultimately, not responsible for what these startups choose to do. Delve’s problem is that they betrayed so many other YC companies in the process. An important value of being in YC is access to a ready-made customer base. The licensing issue is nothing compared to their fake audits but it is an affront to the YC community, hence, kicked from the community.
I’m sure if Delve has only engaged in fraudulent audits or had only resold another YC company’s product, they would have been allowed to stay, the problem is all of that combined pissed off enough other YC companies.
Scribd are quite annoying. The pitch was "the YouTube for documents" allowing stuff to be posted and shared but they tend to try and get subscription money off you to see anything unlike the likes of YouTube.
I think when making the claim a company is a net negative, it's necessary to explore what would have happened if the company hadn't been founded.
I find it unlikely, for example that there would not be a dominant centralized forum platform. People would have certainly started problematic communities on the dominant platform, and it's unlikely a platform with strict moderation would have gained dominance before 2015 or so. I do think a dominant player would have been established by 2015.
Do you think whatever you see as harmful about Reddit would not have occurred if the company didn't exist?
It would have happened more slowly at least, delaying the increase in populism, nihilism and depression in the Western world, the anglosphere in particular.
The “I just have the arsonist the match, I didn’t tel him to strike it” approach of tech bros has caused untold damage to the world over the last 20
Years.
I think it’s partly that, but also that when you have something that is toxic, radioactive and on fire on your ship, you shove it overboard, and assess just how bad the damage was afterwards.
>Pre-written audit conclusions. The "Independent Service Auditor's Report" and all test conclusions were already filled in before clients had even submitted their company descriptions...
>Copy-paste templates. 493 out of 494 leaked SOC 2 reports (99.8%) had identical text, same grammatical errors, same nonsensical descriptions...
There's an excellent podcast and writeup on this from Patrick mcKenzie, which explains the story in more detail, including an interpretation of their statement and background on why this is a scandal in the first place.
I came across a top tier compliance auditor doing the same thing recently. I tried to talk to them about it and rather than approaching this from a constructive point of view they wanted to know the name of the company that got certified so they could decertify them and essentially asked me to break my NDA. That wasn't going to happen, I wanted to have a far more structural conversation about this and how they probably ended up missing some major items (such as: having non-technical auditors). They weren't interested. They were not at all interested in improving their processes, they were only interested in protecting their reputation.
I'm seriously disgusted about this because this was one of the very few auditors that we held in pretty high esteem.
Pay-to-play is all too common, and I think that there is a baked in conflict of interest in the whole model.
Yes. But I'm not working at either company and I'm 99.9% sure that it would lead to absolutely nothing other than a lot of misery for myself. The NDA's I sign have some pretty stiff penalties attached. I was actually hoping to see my trust in the auditing company confirmed and I'm still more than a little bit annoyed that they did not respond in a more constructive way.
My response however is a simple one: I used to steer (a lot of) business their way and I have stopped doing that.
I've already established that it was improper. It's up to them to make the most of that knowledge and then to determine of this is a singleton or an example of a class that has more representation. In that sense it is free to them, I'm under absolutely no obligation to provide them with a service. But I'm willing to expend the time and effort required to get them to make the most of it. What I'm not going to do is to allow them to play the blame game or 'shoot the messenger'.
I didn't mean it as a criticism, I think giving them the opportunity to improve and refusing to offer a scapegoat were both standup things to do. I'm just wondering if they were ever in a position to take that opportunity.
Similar boat. Seen the same shenanigans being played with actors who really should know better - everything from military secrets to medical data, and absolutely YOLOing it with an audit mill. I have it on good authority that there are superuser credentials floating around for their production systems that they’ve lost track of.
And no, I won’t whistleblow either, as it would mostly be me that would face repercussions, and I am unafraid to say that I am a coward.
We choose the battles we fight, and I’d like to believe that ultimately, entropy will defeat them without me lifting a finger.
I'd called out fraud (blatant lying in investor updates) at a VC backed startup where I was a technical co-founder, once. I emailed all the investors and presented all the evidence to them. They decided to not rock the boat and keep my charlatan co-founder. So, I left. Now, the company is slowly bleeding to death.
There are thousands of companies where the shady practices are rewarded, the companies thrive and make money for the investors. So the investors are incentivized to reward this behavior just on the chance that they are rewarded back.
Whistleblowing sinks those chances and the investors and VCs know it. It doesn' just take away the money, it even takes away the plausible deniability. They put a lot of effort to absolutely punish any whistleblower to discourage the rest. Anything for a dollar. and this is probably all you'll ever need to know about almost every VC out there. Beyond the witty "I'm rich so I'm smart" blog posts and tweets, they're very much just the "anything for a dollar" type of people.
To be fair, I’m not sure blatant lying in investor updates alone constitutes fraud. There needs to be harm (or the intent thereof) AFAIK. The other party needs to be using that information to make a decision. If you give me a dollar and then later I tell you I’m actually Beyonce, is that fraud? Or am I just a lying sonofabitch?
It's auditing, nobody that is good at doing anything goes to auditing, unfortunately its one of those jobs. I haven't interacted with any auditor that actually understood all they were auditing, some are better than others but the average is worse than almost any other job description I have dealt with.
If you care about this stuff you need to in-house auditing and do your own audits with people who care. Then get certified by an external auditor for the paper.
You can start very lightweight with doing spec driven development with the help of AI if you're at a size where you can't afford that. It's better than nothing.
But the important part is you, as a company, should inherently care.
If you rely on an auditor feedback loop to get compliant you've already lost.
Nobody really tries to get technical people to do the work.
Like cool, it's a great idea and would potentially produce positive results if done well, but the roles pay half the engineering roles, and the interviews are stacked towards compliance frameworks.
There's very little ability to fix a large public company when HR is involved
But companies don't care. They don't want compliance for feel goods, they want compliance because their partners require it. They do the minimum amount required to check the box
Caring about security and comparing about some of the arbitrary hoops you have to jump through for some of these compliance regimes don’t always overlap as much as you’d expect.
I’ve been at companies where we cared deeply about security, but certain compliance things felt like gimmicks on the side. We absolutely wanted to to do the minimum required to check that box so we could get back to the real work.
The industry is paid to provide a fig leaf for shady practices. Everyone knows what's going on, no one is going to do anything about it unless governments step in and give regulators more resources and more teeth, and "errors" lead to prosecutions and jail time.
None of those are likely.
This is the industry that missed Enron, WorldCom, Wirecard, Lehman, and many others.
You should check out the banking industry sometime if you'd like to interact with a competent auditor.
Compliance gets taken quite seriously in an industry where one of your principal regulatory bodies has the power to unilaterally absorb your business and defenestrate your entire leadership team in the middle of the night.
I've seen this up close. The regulatory bodies as a rule are understaffed, overworked and underpaid. I'm sure they'd love to do a much better job but the reality is that there are just too many ways to give them busywork allowing the real crap to go unnoticed until it is (much) too late.
Because they’re put there as a box ticking exercise without ever being given the power or resources to be able to do damage or negatively impact the bottom line of the big rule breakers. It’s just supposed to maintain the appearance of doing something without ever supporting these activities for real. For the most part they are a true Potemkin village. If the risk is diffuse (just some average Joe suckers will lose money) I wouldn’t hold my breath that anyone is controlling for real.
lol strongly agree it is just cherry on top. In big tech they also copy but just copy in a smart way so I don't believe that's the reason they got removed.
it may be anybody. Even somebody at YC wanting to create a background to drop Delve if suppose Delve were shady and they discovered it (i really don't know anything here and am simply speculating, heard about Delve today first time, just googled and read some techcrunch article - it says Delve has 1000 clients - googled employee count - sub-50, and until it is "an Uber for auditors" i have hard time to believe that 50 Silicon Valley people can do even one compliance certification for one client, with AI or without)
I've seen a bunch of people go on random crusades. Investigation is fun and righteous indignation is intoxicating. For certain personality types it's easy to get completely absorbed by a mystery/crime and not even realize how much time you're spending digging into it until the sun rises. Others may be intensely motivated by perceived injustice, dishonesty, or graft. Or they may feel personally cheated.
I don't know who this person is or whether they are legit but it doesn't surprise me that someone would do this.
Yes, the way this is being pushed online seems like there is a competitor involved. If not in the initial disclosure, then in the daily rehashing of it.
It's also still unclear to me how much fraud they actually were involved in, and how much of the fault falls on them. SOC2 Type II and ISO 27001 are not audited by them, but by actual accredited auditors (apparently mainly Accorp and Gradient), which must have been just as complicit/negligent. As customers of Delve are free to chose their auditors I'm wondering how this hasn't blown up earlier.
If there were not a manipulative competitor, if people just found fraud and abuse of open source compelling and the story was circulating organically, how would that look different? What do you observe that leads you to believe a manipulative competitor is a better hypothesis?
Someone leaked an internal Bookface chat from Garry Tan (YC CEO) saying:
We have asked Delve to leave YC.
YC is a community, not just an accelerator. The founders in our community have to trust each other, and we have to trust them. When that trust breaks down, there's really only one thing to do.
We're not going to get into the details publicly. We wish them well.
Someone doing harm to you doesn't automatically mean you wish harm to them. Not that I necessarily take what Garry says at face value but it's definitely possible to unironically take this viewpoint.
People don’t realize that the people at the top of organizations are effectively like politicians in democratic systems only the vote comes in confidence; usually manipulative, lying, and deceptive because they are inherently dependent on maintaining perception of the people they rely on and underpin their roles and power.
One way in which they do that is to ride or effectively are selected by the system for their mastery of the psychological trick of positivity and optimism that predisposes people to follow and trust, e.g., even when someone betrays you, you “wish them well.
In such systems, courage and hard lines that enforce strict rules, discipline, and principles does not provide the leaders in that system the affordances and benefits of leadership. As has been indicated, the subject behaviors are not only not novel, nor are they unique. What precipitated this current action appears to be the egregious and probably violative nature of the behavior, not the behavior itself. The veneer of perception was pierced, which is the real trigger of action.
Just use my saying what I just said above as an example, there will be people who have not even read this last paragraph and will it will have the urge to down vote what I said solely on the basis that they want to punish me, the messenger, because I’m pointing out things that are very much true and not saying it in a positive manner. It causes feelings of discomfort and especially in American society today where everything is geared towards positivity and good feelings opium, not bad feelings, even if you’re being scammed or defrauded or lied to, you have to remain positive, say things in positive ways, be “constructive”.
I don’t know if it’s sustainable because it’s such a con job at its very core, an abusive confidence trick, maintaining the perception of confidence and optimism to keep people happy and positive and optimistic regardless of red flags; however, we shall all find out one day if no one being able to deal with reality anymore if it’s not wrapped some nicety, is sustainable. Hence, “They violated us/me” but “I wish them well”. See, they are wished well, so everything is fine and we just removed the bad apple, nothing to see here, keep being positive as the telescreen instructs you to.
That’s an oversimplification of what your parent comment said, which was someone who has betrayed your trust.
> It would be interesting if you didn't
Why? What’s interesting about it? You don’t have to actively wish harm on people who harmed you, but there’s nothing strange about not wishing them well.
You make it sound like wishing harm or wishing wellness are activities while not wishing anything is just the default passive state. To me the default posture is not indifference, but wishing wellness.
We throw around words like "interesting", which is a subtle way to say "not normal", which is a subtle way to say that that's not how we would behave and that we think that others shouldn't behave that way either. So I take back what I said about what is interesting to me, and I'll just say that I wish it was normal to wish well to others, regardless of their actions or repercussions you impose on them.
> You make it sound like wishing harm or wishing wellness are activities while not wishing anything is just the default passive state.
Not what I said.
> To me the default posture is not indifference, but wishing wellness.
Same here. I’m not convinced that’s the default state for everyone, though. David Foster Wallace’s “This is Water” comes to mind.
> We throw around words like "interesting", which is a subtle way to say "not normal", which is a subtle way to say that that's not how we would behave and that we think that others shouldn't behave that way either.
Sure, I get that. Though you’re still answering as if what was in question was the neutral state of “people you don’t associate with” rather than the negative state in question mentioned by your original parent comment of “someone who has wronged you”.
> I'll just say that I wish it was normal to wish well to others, regardless of their actions or repercussions you impose on them.
Interesting. No criticism on my part. My wish would rather be that we don’t wrong each other (which, crucially, requires intentionality) in the first place. And while I don’t typically wish ill on others, I don’t think it’s wrong to not wish well on those who cause harm. If you’re a despot oppressing millions of people for your own selfish benefit, I don’t really think wishing you well is a positive action.
But again, no judgement, I was trying to understand your position, so thank you for clarifying. Have a nice weekend.
The ironic usage makes for compelling dialogue and comports with stereotypes about Southerners as formal/restrained. So that's what ends up on television. At least that is how I think I came about having that impression.
I was half-joking, but if YC has a legal issue resulting from the alleged fraud (unclear currently), kicking out the company for the lesser infraction would make more sense.
Investors aren't on the hook for the bad behavior of companies they invest in. Quite the opposite: Defrauding investors (and acquirers, and creditors) is commonly the thing that lands people like Elizabeth Holmes in prison.
Ycombinator may have financially benefited from the scam operations since the company subsequently raised funds.
Considering they do due diligence before investment and are experts in IT and legal, how could they not know what is the business model when it was the unique selling point ?
Yeah, yeah... of course, of course... like telehealth companies prescribing GLP-1 Ozempic/Wegovy where there is one doctor for 10000 patients. Totally sounds legit.
I wonder if the kind of personality that gets you on 30U30 correlates with being willing to engage in massive fraud, and being able to get away with it for a minute.
Holmes, SBF, Shkreli, Charlie Javice, Ishan Wahi...
When ambitious competitors who can't accept loss or normalcy enter into a field that's saturated with skilled rule-abiding players, they'll cheat.
Hypercompetitive fields will always surface cheaters given enough time. Then regulations pile on to fight the cheating, which makes it harder for honest people to do the good work.
We do not punish cheaters like these as much as we should.
You know, after all this time Lucas Duplan doesn't seem so bad. His hubristic sin was posing for a photo burning fake hundred dollar bills. That just seems like a random Tuesday now.
If I remember correctly, you need to be nominated by someone to be considered for the 30U30 list. Some of the people on those lists will literally run their own campaigns to get on the list, meaning that they'll pay people to nominate them, pay PR firms to run stories and campaigns. Other people do seemingly nothing, and just get nominated by legit people that admire them.
So, I'm fairly certain lists like that will attract some amount of unscrupulous narcissists.
I'd focus less on the U30 part, and more on the 30U, if that makes sense — the problem is with people who seek that sort of attention (and that 79 year old certainly qualifies as wanting that sort of attention). For those people, their businesses are a means to an end in the most cynical way possible.
Speak for yourself. I'm O18 and I don't want him in there like you claim to. Most of his base claimed to be anti-pedo until they saw the evidence in the unredacted subset of the Epstein files that Congress legally forced him to release, and now suddenly they're pro-pedo (and pro-war and pro-bombing-schoolchildren). But you be you, and make baseless evidence-free false equivalence accusations against other people to justify the rapes and legally adjudicated sexual assault and pussy grabbing by the guy you as an "O18" claim you want in there.
They've graduated 5,000+ companies, so some fraud is hard to avoid, especially with young hungry founders willing to do anything to succeed. Honestly, it's a pretty good track record that there's only been a handful of companies like this.
this is a teachable moment for yc, maybe the cost of investing in a sour apple is a lot more than half a mil, maybe there's a brand or reputational cost, even in places you least expect it right, these two seemingly had everything laid out for them by investors, did they even come up with compliance? who told them to work on that? now look what happened, it's like everyone cant get far enough fast enough now. What about their lead investor insight partners? what's that conversation like?
it's all just very strange and stupid, ironically from the the startup posing as auditors..
Every single technical auditor I've dealt with has been majorly incompetent and wanted to do things that would decrease security. And these were not some cheap bottom of the barrel companies but the big "industry leaders".
Sure, most companies could add an About section and probably put this behind them pretty quickly. They could have even hired someone like Delve to assure this kind of thing wouldn’t happen again.
But Delve themselves can’t really do any of that. They’ve screwed up on a fundamental piece of their own business model. Their core offering *is* Compliance as a Service!
How could I trust their word that they’ll ensure my company is compliant? How could I trust their word that a company I’m doing business with is compliant? They can’t even handle their own Apache 2.0 licensed works, and that’s child’s play- relatively speaking. I’m supposed to trust that they can handle PCI and HIPPA and all the rest for other companies?
This is like having a dentist who doesn’t brush and floss their own teeth. Or a building inspector working out of a moldy office suite with exposed rebar. Or an editor with a personal website full of typos and grammatical errors. It’s a dealbreaker to anyone with common sense.
Unlike Zenefits, which had (allegedly?) committed fraud for part of their business in the interest of moving faster, and then Parker came back with Rippling…
These guys’ entire and actual business model was fraud.
This thread is going to use very dressed up and lofty language discussing the issue, in order for the express purpose of dancing around the fundamental issue here.
Y Combinator as a concept, and all of its "children" are rotten to the core.
Every single company is "evil" in some form, and not in the usual "private companies are big baddies" kind of way. They grossly and recklessly violate laws and ethical boundaries day in and day out.
The sooner people are even willing to entertain this, the sooner we can have actual conversation around these issues.
Neither. "Leaving YC" or "being removed from Y combinator" really just means you (more precisely, your YC/HN account) loses access to internal resources like bookface. This does have the knock on effect of essentially isolating you from the community. It's not entirely a punishment, it can be as simple as you are a person who isn't working on a YC company anymore, for example.
This has zero bearing on equity, which would be a different conversation. In this case, I think the YC SAFE is likely to remain as-is, unless the founders choose to return the money, or YC chooses to levy a heavier allegation of fraud (which they don't seem to have done here).
Great to see them take action.
I'm waiting for cambioml next. A married couple notorious for fraud that apparently relocated to ME as a result. That's outside of the terrible treatment of ripping off interviewees (see: https://www.reddit.com/r/devops/comments/1n7cdua/got_a_devop...). Won't even comment on other stories I've heard related to them screwing over employees/cofounders.
> Below are just some of the many inaccuracies in the story and then the truth.
> The Substack inaccurately said Delve relies on “Indian certification mills operating through front companies” and cannot pass legitimate audits. This too is not accurate.
At least it's not GPT but my goodness - you can definitely sense the panic. I think Karun is a little worried.
Having gone through the SOC2 process multiple times and having worked with and read SOC2 reports from many public companies, it's difficult for me to understand the outrage.
The specific fraud allegations are bad (lying about US based auditors) but it's completely normal and common for soc2 reports to be templates with no company specific information. It would be unusual for reports to include anything about the specific information found during an observation window as some have suggested.
SOC2 is basically fake and it isn't possible in practice to fail to be compliant. You really can apply the same template to all companies and automate the audit process.
We have done SOC2 and it's not fake. Its real and enforced some good practices and we spent a lot of time collecting evidence and submitting it. You can take it seriously or you can choose not to.
There are typically two soc2 reports generated from an audit. The first is the one for general use, often just shared publicly. This is probably what you look at from public companies that you have no binding relationship with. The other is the restricted use report which details all the findings and controls. That is typically only shared under NDA.
Its quite ironical and interesting at the same time, seems like there is a threshold size/impact beyond which everyone would come and save you, anything less and you will have to bear the consequences.
YC needs to go back to how it was. Choosing those who know what they are doing, and have been in the game for long and not blindly choose those who have graduated from tier-1 institutions. University degrees mean nothing at the end of the day.
And please stop investing in slop/wrappers. They do not solve World's problems.
I feel there has been complacency set into investing in general where investors are chasing quick money (first crypto and now AI slop) over solving hard/grueling problems that take a long time to fix but have huge returns down the line.
And we have a lot of tough problems that still need solving. AI won't magically fix that, despite being a great tool.
Yeah, used to be that a lot of companies in the batches made more or less sense, or you could at least see how they'd made sense if they managed to successfully reach their vision, even if it many times was a bit wishy-washy.
YC since then seems to have moved into a "spray and pray" approach where the ideas don't matter at all, they're 150% in on the "We invest in founders" idea now, almost too much, although I know that's always been a thing they've thought about. But all the batches since some years ago are just so uninspired and seem to be quick cash grabs, or obviously acquisition targets, rather than "solve a problem you experience yourself" which seemed to be much more popular (and realistic) before.
>choose those who have graduated from tier-1 institutions. University degrees mean nothing at the end of the day.
It means everything for YC's model.
YC does not care about the software.
They care about the founders.
YC's model and ecosystem is explicitly designed to be a who's who club of interconnected founders that are very, very encouraged to """rely""" on each other when building their companies.
YC uses a lot of double speak regarding this ecosystem, but if you explained the concept to a layman on the street they'd tell you exactly what this concept is in just a very few, very blunt words.
Elite-class founders and lots of cheap, imported, or "passionate" labor.
While I do think Delve and the leadership there should be held responsible, it's a bit weird to see YC and others take shots at them for breaking the law when so many of their prized unicorns achieved what they did by being willing to just ignore laws and deal with the consequences later.
While I agree with you, I also find myself wondering who draws the line. Given the current political atmosphere and its increasingly fluid relationship with "truth," I have to consider that the line for others may not be where it is for me — especially given the nuance buried in the details of many B2B deals.
Their value prop had to be strong enough to get past YC, past the other founders in the batch, past due diligence. Given that, I'm no longer comfortable casting "fraud" as a clean binary.
To be clear — I do genuinely believe they are a fraudulent company that lied and deserved to be removed. But introspectively, I have to sit with the fact that the space between "working around dumb regulations" and "outright fraud" is murkier than we'd like to admit.
The vast majority of crimes are still being prosecuted as such. You have to reach a certain size/notoriety and money to buy a POTUS pardon; I doubt that matters for a relatively unknown outfit like Delve.
3. Customers want to do something, you help them do it, and nobody has done it before, so whether it's legal or not is kind of up in the air.
E.G. Uber exploited a legal loophole that distinguished the kind of taxi service you hail on the street from the kind of taxi service you call on a phone.
The latter were much less regulated, and usually much more exclusive and pandering to a richer crowd. Nobody really knew which kind Uber should be classified as, it was the first kind in practice (same customer base as normal taxis) but the second in theory (ordered, not hailed).
Let me more clearly instead say that many successful startups knowingly and intentionally broke the law.
But I agree that Delve is a special case and should naturally be held to a higher standard here because their whole business is around being compliant with the law. When most other startups break the law, they do it to get an advantage over competition. Delve did it in a way that sacrificed their core value towards customers.
The difference is that Airbnb customers used Airbnb because they thought hotel regulations were dumb and overbearing (or at least, they didn't care about the laws). Delve customers were literally trying to obey the law and Delve (allegedly) lied to them about it.
There is a difference between "fake it till you make it" and "blatant widespread fraud", but the line is blurrier than many startups would like to admit.
> Ignoring a law is different from knowingly and intentionally breaking the law
This is like a line from a Naked Gun movie. The only way that this sentence could be true linguistically is if the party doesn’t break the law that they’re ignoring (e.g. I could ignore the rule against perpetuities while drunk driving through a zoo)
I think it's fairly straight forward why. It's because Delve broke the law and got other YC companies in trouble vs other industries & people not under the YC banner.
Like, it's a company that sells AI-slop powered regulatory compliance. How many laws do you think the "fake it ill you make it and you'll never make it" AI will break? But "regulatory compliance" is laws that startups hate, so breaking them is good.
Copyright and the copyleft licenses built upon it are the laws that support the software industry instead of just making sure innocent people aren't hurt by all this innovating and disrupting.
On the one hand the company that was selling companies pre-made “You’re hipaa compliant” pdfs was doing fraud, but on the other hand the companies that were buying “We’re hipaa compliant” pdfs that said they had implemented compliance measures that they definitely hadn’t were also doing fr
This is where I'd actually appreciate "blog spam" i.e. a quick post to mention the URL, link to archive to show what was there before and explain the significance.
So they decide to drop this from their COO while their CEO has been doing all the talking on a friday night? Looks like YC told them they had to announce this and this was their least-viewable option.
Pretty disgusting behavior from the founders just posting as normal on linkedin/twitter as if this is run-of-the-mill. Fraudsters need to be nipped in the bud, lest we get trump-like scenarios.
The headline here says "Delve removed from Y Combinator", but the link doesn't go to a statement by Y Combinator. It goes to a 404.
Is there reason to believe that Delve has been removed from Y Combinator, the organization, or is this more an announcement that Delve has been removed from Y Combinator's website?
"By combining the evidence I collected together with what the sim.ai team provided, I will show that Delve has stolen an open-source company’s tech by violating their license and then making a lot of money with it."
->
You mean like OpenAI, Anthropic and all these other 'unicorns'?
I'm happy we're all clear on how bad Delve is but in essence what they were doing is exactly the same as what these AI companies do.
While I despise the sham commercial LLMs have made out of intellectual property, I think Delve is one step worse than that. The technology behind LLMs is innovative, even if the data used to train them have ethically and legally dubious origins. Delve doesn’t even have the ability to claim anything they’ve done as original, unless you count fraud as a service.
The only thing that makes delve worse in my book is that they're selling compliance, they have zero excuses. But the likes of OpenAI and Anthropic even if they don't sell compliance do whitewash bulk copyright violations and they have valuations far in excess of Delve. Too big to fail I guess.
Interesting! I worked for one YC startup that committed blatant fraud, with the founders vanishing when investors started chasing them to bring them to responsibility. And they haven't been removed. Just marked as "inactive".
Nope. Founders just disappeared with whatever money was left.
They claimed to have a working product and a big list of paying clients while in fact they had a half-assed prototype written by one hapless dude who they paid to the tune of $15 an hour. Which i helped to transform into a somewhat-better prototype and they paid very well for it. But no actual paying clients ever existed and the idea was obviously brain-dead from day one. After they got tired of pretending, they stopped paying, then disappeared. Then years later i read in the news that subsequent investors launched an investigation into fraud and they were put on the list in some countries.
I'm sure no one except themselves ever made any money on it, certainly not YC.
YC invests in military startups, they have no problem killing people if it would make them money. What makes a fake HIPPA compliance cert worse than that?
Fairly inevitable. Like all YC companies, they were total frauds, but they made the cardinal mistake of defrauding other YC companies instead of the general public. Bad move.
But that's just the cherry on top. I don't think they're being thrown out because they violated a license. There are really serious fraud allegations. Allegedly they were rubber-stamping noncompliant customers, leaving them exposed to potential criminal liability under regulations like HIPPA.
https://deepdelver.substack.com/p/delve-fake-compliance-as-a...
I've only skimmed this so I do not endorse these allegations, but I think it's context missing from this discussion.
I’m sure if Delve has only engaged in fraudulent audits or had only resold another YC company’s product, they would have been allowed to stay, the problem is all of that combined pissed off enough other YC companies.
Of course they're responsible for their investments; they're just not liable. YC has a lot to answer for in the damage it's wreaked over the years.
What damage is that? (excluding the present case)
That seems to be an introspective question.
I find it unlikely, for example that there would not be a dominant centralized forum platform. People would have certainly started problematic communities on the dominant platform, and it's unlikely a platform with strict moderation would have gained dominance before 2015 or so. I do think a dominant player would have been established by 2015.
Do you think whatever you see as harmful about Reddit would not have occurred if the company didn't exist?
The delusions people establish to feel better about their or someone else they like mistakes...
>Pre-written audit conclusions. The "Independent Service Auditor's Report" and all test conclusions were already filled in before clients had even submitted their company descriptions...
>Copy-paste templates. 493 out of 494 leaked SOC 2 reports (99.8%) had identical text, same grammatical errors, same nonsensical descriptions...
https://www.complexsystemspodcast.com/episodes/delve-into-co...
I'm seriously disgusted about this because this was one of the very few auditors that we held in pretty high esteem.
Pay-to-play is all too common, and I think that there is a baked in conflict of interest in the whole model.
My response however is a simple one: I used to steer (a lot of) business their way and I have stopped doing that.
And no, I won’t whistleblow either, as it would mostly be me that would face repercussions, and I am unafraid to say that I am a coward.
We choose the battles we fight, and I’d like to believe that ultimately, entropy will defeat them without me lifting a finger.
There are thousands of companies where the shady practices are rewarded, the companies thrive and make money for the investors. So the investors are incentivized to reward this behavior just on the chance that they are rewarded back.
Whistleblowing sinks those chances and the investors and VCs know it. It doesn' just take away the money, it even takes away the plausible deniability. They put a lot of effort to absolutely punish any whistleblower to discourage the rest. Anything for a dollar. and this is probably all you'll ever need to know about almost every VC out there. Beyond the witty "I'm rich so I'm smart" blog posts and tweets, they're very much just the "anything for a dollar" type of people.
You can start very lightweight with doing spec driven development with the help of AI if you're at a size where you can't afford that. It's better than nothing.
But the important part is you, as a company, should inherently care.
If you rely on an auditor feedback loop to get compliant you've already lost.
It has the potential to be incredibly impactful, but often devolves into box ticking (like many compliance functions).
And it's really hard to find technical people to do the work, as it's generally perceived as a cost centre so tends not to get budget.
Like cool, it's a great idea and would potentially produce positive results if done well, but the roles pay half the engineering roles, and the interviews are stacked towards compliance frameworks.
There's very little ability to fix a large public company when HR is involved
So many controls are dubious, sometimes even actively harmful for some set-ups/situations.
And even moreso, it's also perfectly feasible to pass the gates with a burning pile of trash.
Ook goeiemorgen...
I’ve been at companies where we cared deeply about security, but certain compliance things felt like gimmicks on the side. We absolutely wanted to to do the minimum required to check that box so we could get back to the real work.
None of those are likely.
This is the industry that missed Enron, WorldCom, Wirecard, Lehman, and many others.
Compliance gets taken quite seriously in an industry where one of your principal regulatory bodies has the power to unilaterally absorb your business and defenestrate your entire leadership team in the middle of the night.
I've seen this up close. The regulatory bodies as a rule are understaffed, overworked and underpaid. I'm sure they'd love to do a much better job but the reality is that there are just too many ways to give them busywork allowing the real crap to go unnoticed until it is (much) too late.
I don't know who this person is or whether they are legit but it doesn't surprise me that someone would do this.
It's also still unclear to me how much fraud they actually were involved in, and how much of the fault falls on them. SOC2 Type II and ISO 27001 are not audited by them, but by actual accredited auditors (apparently mainly Accorp and Gradient), which must have been just as complicit/negligent. As customers of Delve are free to chose their auditors I'm wondering how this hasn't blown up earlier.
I have no direct knowledge of the accuracy of any of this. This is not my account.
One way in which they do that is to ride or effectively are selected by the system for their mastery of the psychological trick of positivity and optimism that predisposes people to follow and trust, e.g., even when someone betrays you, you “wish them well.
In such systems, courage and hard lines that enforce strict rules, discipline, and principles does not provide the leaders in that system the affordances and benefits of leadership. As has been indicated, the subject behaviors are not only not novel, nor are they unique. What precipitated this current action appears to be the egregious and probably violative nature of the behavior, not the behavior itself. The veneer of perception was pierced, which is the real trigger of action.
Just use my saying what I just said above as an example, there will be people who have not even read this last paragraph and will it will have the urge to down vote what I said solely on the basis that they want to punish me, the messenger, because I’m pointing out things that are very much true and not saying it in a positive manner. It causes feelings of discomfort and especially in American society today where everything is geared towards positivity and good feelings opium, not bad feelings, even if you’re being scammed or defrauded or lied to, you have to remain positive, say things in positive ways, be “constructive”.
I don’t know if it’s sustainable because it’s such a con job at its very core, an abusive confidence trick, maintaining the perception of confidence and optimism to keep people happy and positive and optimistic regardless of red flags; however, we shall all find out one day if no one being able to deal with reality anymore if it’s not wrapped some nicety, is sustainable. Hence, “They violated us/me” but “I wish them well”. See, they are wished well, so everything is fine and we just removed the bad apple, nothing to see here, keep being positive as the telescreen instructs you to.
That’s an oversimplification of what your parent comment said, which was someone who has betrayed your trust.
> It would be interesting if you didn't
Why? What’s interesting about it? You don’t have to actively wish harm on people who harmed you, but there’s nothing strange about not wishing them well.
We throw around words like "interesting", which is a subtle way to say "not normal", which is a subtle way to say that that's not how we would behave and that we think that others shouldn't behave that way either. So I take back what I said about what is interesting to me, and I'll just say that I wish it was normal to wish well to others, regardless of their actions or repercussions you impose on them.
Not what I said.
> To me the default posture is not indifference, but wishing wellness.
Same here. I’m not convinced that’s the default state for everyone, though. David Foster Wallace’s “This is Water” comes to mind.
> We throw around words like "interesting", which is a subtle way to say "not normal", which is a subtle way to say that that's not how we would behave and that we think that others shouldn't behave that way either.
Sure, I get that. Though you’re still answering as if what was in question was the neutral state of “people you don’t associate with” rather than the negative state in question mentioned by your original parent comment of “someone who has wronged you”.
> I'll just say that I wish it was normal to wish well to others, regardless of their actions or repercussions you impose on them.
Interesting. No criticism on my part. My wish would rather be that we don’t wrong each other (which, crucially, requires intentionality) in the first place. And while I don’t typically wish ill on others, I don’t think it’s wrong to not wish well on those who cause harm. If you’re a despot oppressing millions of people for your own selfish benefit, I don’t really think wishing you well is a positive action.
But again, no judgement, I was trying to understand your position, so thank you for clarifying. Have a nice weekend.
Kinda like "bless your heart", which means nothing of the sort.
My comment is an internet comment about idioms, not a comprehensive linguistic treatise.
You seem like you're looking for something to be upset about. I wish you well.
Trump On Ghislaine Maxwell: "I Just Wish Her Well" | NBC News
https://www.youtube.com/watch?v=jC2jsRrzCrs
Considering they do due diligence before investment and are experts in IT and legal, how could they not know what is the business model when it was the unique selling point ?
https://www.forbes.com/profile/delve/
30U30 never ceases to amaze.
Holmes, SBF, Shkreli, Charlie Javice, Ishan Wahi...
Hypercompetitive fields will always surface cheaters given enough time. Then regulations pile on to fight the cheating, which makes it harder for honest people to do the good work.
We do not punish cheaters like these as much as we should.
Karma and integrity seem to be treated as an overdraft. But these folks are hardly held back by the systems they work in.
colour me surprised
people still seem to think that forbes scouts the world for the best talents instead of the lists being basically a paid ad
So, I'm fairly certain lists like that will attract some amount of unscrupulous narcissists.
Not "Pay2Win" but possibly something less involved
If you can't trust your batch mates for something as crucial as compliance, the model doesn't work.
They scaled up massively the size of each batch and their frequency to a point where they are incapable of auditing them.
it's all just very strange and stupid, ironically from the the startup posing as auditors..
Shows the “compliance theatre” of what SOC2 has become
Every single technical auditor I've dealt with has been majorly incompetent and wanted to do things that would decrease security. And these were not some cheap bottom of the barrel companies but the big "industry leaders".
That looks like what happened here.
But Delve themselves can’t really do any of that. They’ve screwed up on a fundamental piece of their own business model. Their core offering *is* Compliance as a Service!
How could I trust their word that they’ll ensure my company is compliant? How could I trust their word that a company I’m doing business with is compliant? They can’t even handle their own Apache 2.0 licensed works, and that’s child’s play- relatively speaking. I’m supposed to trust that they can handle PCI and HIPPA and all the rest for other companies?
This is like having a dentist who doesn’t brush and floss their own teeth. Or a building inspector working out of a moldy office suite with exposed rebar. Or an editor with a personal website full of typos and grammatical errors. It’s a dealbreaker to anyone with common sense.
Unlike Zenefits, which had (allegedly?) committed fraud for part of their business in the interest of moving faster, and then Parker came back with Rippling…
These guys’ entire and actual business model was fraud.
Y Combinator as a concept, and all of its "children" are rotten to the core.
Every single company is "evil" in some form, and not in the usual "private companies are big baddies" kind of way. They grossly and recklessly violate laws and ethical boundaries day in and day out.
The sooner people are even willing to entertain this, the sooner we can have actual conversation around these issues.
This has zero bearing on equity, which would be a different conversation. In this case, I think the YC SAFE is likely to remain as-is, unless the founders choose to return the money, or YC chooses to levy a heavier allegation of fraud (which they don't seem to have done here).
And I don't think this is just not "getting locked out of the website", but losing the YC "nod" is a greater deal in itself
https://delve.co/blog/response-to-misleading-claims
> Below are just some of the many inaccuracies in the story and then the truth.
> The Substack inaccurately said Delve relies on “Indian certification mills operating through front companies” and cannot pass legitimate audits. This too is not accurate.
At least it's not GPT but my goodness - you can definitely sense the panic. I think Karun is a little worried.
Good riddance to bad rubbish.
https://delve.co/blog/delve-sets-the-record-straight-on-anon...
https://www.ycombinator.com/companies/?query=delve
The specific fraud allegations are bad (lying about US based auditors) but it's completely normal and common for soc2 reports to be templates with no company specific information. It would be unusual for reports to include anything about the specific information found during an observation window as some have suggested.
SOC2 is basically fake and it isn't possible in practice to fail to be compliant. You really can apply the same template to all companies and automate the audit process.
And please stop investing in slop/wrappers. They do not solve World's problems.
I feel there has been complacency set into investing in general where investors are chasing quick money (first crypto and now AI slop) over solving hard/grueling problems that take a long time to fix but have huge returns down the line.
And we have a lot of tough problems that still need solving. AI won't magically fix that, despite being a great tool.
YC since then seems to have moved into a "spray and pray" approach where the ideas don't matter at all, they're 150% in on the "We invest in founders" idea now, almost too much, although I know that's always been a thing they've thought about. But all the batches since some years ago are just so uninspired and seem to be quick cash grabs, or obviously acquisition targets, rather than "solve a problem you experience yourself" which seemed to be much more popular (and realistic) before.
It means everything for YC's model.
YC does not care about the software.
They care about the founders.
YC's model and ecosystem is explicitly designed to be a who's who club of interconnected founders that are very, very encouraged to """rely""" on each other when building their companies.
YC uses a lot of double speak regarding this ecosystem, but if you explained the concept to a layman on the street they'd tell you exactly what this concept is in just a very few, very blunt words.
Elite-class founders and lots of cheap, imported, or "passionate" labor.
Let's get real here folks.
Their value prop had to be strong enough to get past YC, past the other founders in the batch, past due diligence. Given that, I'm no longer comfortable casting "fraud" as a clean binary.
To be clear — I do genuinely believe they are a fraudulent company that lied and deserved to be removed. But introspectively, I have to sit with the fact that the space between "working around dumb regulations" and "outright fraud" is murkier than we'd like to admit.
...is breaking the law
1. Customers want to do something, you help them do it, but it's illegal.
2. Customers want to do something, you tell them you did it, but you were lying and defrauding them.
3. Customers want to do something, you help them do it, and nobody has done it before, so whether it's legal or not is kind of up in the air.
E.G. Uber exploited a legal loophole that distinguished the kind of taxi service you hail on the street from the kind of taxi service you call on a phone.
The latter were much less regulated, and usually much more exclusive and pandering to a richer crowd. Nobody really knew which kind Uber should be classified as, it was the first kind in practice (same customer base as normal taxis) but the second in theory (ordered, not hailed).
Also, there was no “endgame.” They weren’t trying to change the law; they were exclusively breaking it for profit.
But I agree that Delve is a special case and should naturally be held to a higher standard here because their whole business is around being compliant with the law. When most other startups break the law, they do it to get an advantage over competition. Delve did it in a way that sacrificed their core value towards customers.
this will literally get them in court
This is something Airbnb has facilitated for a very long time, no? And Uber, back when it started.
From a legal perspective I don’t see that it matters whether you’re trying to change the law or not. You’re either following it or breaking it.
In reality, it makes quite a difference if public opinion is on your side or not.
“We decided to commit fraud by providing fake compliance reports” reads very differently from “we let homeowners make money by renting a room”
Huh? In a legal sense I'm pretty sure they're the same thing.
How and why matters, though.
How and why you break a law matters (to a judge / jury). Whether you frame it as "ignoring" vs "breaking" in your legal defense, not so much.
> I ignore the law every day when I jaywalk.
Means the exact same thing as “I intentionally break jaywalking laws every day”. They are equivalent sentences.
Not illegal here, but I hope you not complain when caught and fined.
Including people doing it in front of police. Including the police themselves!
The law only existed for police to harass and fine blacks and Latinos. And indeed, that was how it was struck down.
It is critical to a just society that victims of unjust laws or uneven enforcement complain!
This is like a line from a Naked Gun movie. The only way that this sentence could be true linguistically is if the party doesn’t break the law that they’re ignoring (e.g. I could ignore the rule against perpetuities while drunk driving through a zoo)
Like, it's a company that sells AI-slop powered regulatory compliance. How many laws do you think the "fake it ill you make it and you'll never make it" AI will break? But "regulatory compliance" is laws that startups hate, so breaking them is good.
Copyright and the copyleft licenses built upon it are the laws that support the software industry instead of just making sure innocent people aren't hurt by all this innovating and disrupting.
Anderson Consulting er I mean "Accenture": "Hey, that's our job!"
PWC: "Yeah! Fuck off!"
KPMG: "Damn straight!"
Ernst & Young: "What they said."
Deloitte & Touche: "Ditto."
( https://en.wikipedia.org/wiki/Accounting_scandals#List_of_th... )
Notably YC hasn't wished them a farewell.
Why do all start-ups say this? I don't think there are many companies publicly saying "We're going to go 'scorched earth' on everybody."
Saying it in 2026 just makes it sound more insincere than usual.
> One interesting observation I’ve noticed is a lot of top founders did oddly strong at math from a young age.
https://x.com/kocalars/status/2027076198002553159
Nauseating.
who got these kids into compliance? cause it wasn't them
Is there reason to believe that Delve has been removed from Y Combinator, the organization, or is this more an announcement that Delve has been removed from Y Combinator's website?
->
You mean like OpenAI, Anthropic and all these other 'unicorns'?
I'm happy we're all clear on how bad Delve is but in essence what they were doing is exactly the same as what these AI companies do.
I'd wager there's some prior art...
The only next product launch is an investigation.
They claimed to have a working product and a big list of paying clients while in fact they had a half-assed prototype written by one hapless dude who they paid to the tune of $15 an hour. Which i helped to transform into a somewhat-better prototype and they paid very well for it. But no actual paying clients ever existed and the idea was obviously brain-dead from day one. After they got tired of pretending, they stopped paying, then disappeared. Then years later i read in the news that subsequent investors launched an investigation into fraud and they were put on the list in some countries.
I'm sure no one except themselves ever made any money on it, certainly not YC.