On March 19, 2026, an anonymous Substack account called DeepDelver published a very long article accusing Delve, a Y Combinator-backed compliance automation company, of running what they described as a systematic fraud operation. The allegations were serious and specific: fabricated audit evidence, rubber-stamp auditors passing off pre-generated reports as independent assessments, a product marketed as AI-powered that allegedly had almost no real AI in it, and criminal exposure for hundreds of client companies who, according to the author, had no idea any of this was happening. Six employees were named individually, with the author stating outright that each of them knowingly participated in deliberate misconduct. The piece linked to a publicly accessible Mega.nz folder containing hundreds of confidential client audit reports and told readers to go ahead and look at them.
The article spread quickly, and Journalists picked it up, Named client companies started getting asked about it. The compliance community, which is a fairly small world, started passing it around with the kind of urgency that tends to accompany pieces like this. And honestly, some of what the author documented is genuinely hard to explain away; the textual similarity data across nearly five hundred reports, the script error messages appearing inside production client documents, the test values showing up in live files... that is real evidence that something unusual was happening inside Delve's report generation process, and the piece's technical section deserves to be taken seriously.
But here is the thing that nobody seems to be talking about, and frankly it is remarkable that it has gone this long without being discussed: the person who wrote this article has serious legal and ethical problems of their own, and several of those problems are documented in their own words inside the same piece. The author confessed to participating in fraud. They are currently hosting hundreds of confidential third-party documents on a public file share that anyone can access. They named six private individuals as fraudsters without contacting a single one of them before publishing. They organized what appears to be a coordinated multi-company campaign while presenting themselves as an independent journalist. And they have not reported any of this to a single regulatory authority despite spending thousands of words describing what they call criminal violations affecting millions of people.
These are not peripheral issues. They go directly to the question of what this article actually is and who actually benefits from it. Before anyone treats the DeepDelver piece as settled fact, the author deserves at least the same scrutiny they directed at Delve.
The Author Admitted, In Writing, That They Committed Fraud
Let us start with what is genuinely the most remarkable part of this entire situation, which is that the author of a piece accusing Delve of fraud confessed to their own fraud inside the same document. These are not interpretations or inferences. They are direct, first-person statements from the author describing exactly what they did and why.
The author states explicitly that they knowingly adopted compliance policies that they understood to be inaccurate and then distributed those policies to clients, auditors, and investors. They say they did this because they did not have the time to rewrite the policies themselves. They then describe using Delve's questionnaire AI tool to submit answers to enterprise vendor security reviews, and those answers claimed the author's company had an MDM system they did not have, had conducted a 200-hour penetration test they never conducted, and performed backup restoration simulations that never happened. When the author realized the answers were false and that enterprise deals were progressing based on those false answers, they describe their decision as follows: they kept their mouths shut. Those are their words. And they then attempted, still by their own account, to salvage those enterprise deals by continuing to present themselves as legitimately compliant when they knew they were not.
Submitting false answers in a vendor security review to win a commercial deal is fraud against the company on the other side of that table. If any of those misrepresentations reached investors during a funding round, the legal term for that is securities fraud. The author does not address any of this. They spend thousands of words positioning themselves as a victim of Delve's deceptive practices while describing their own deliberate decision to deceive enterprise customers and possibly investors, and they apparently expect the reader not to notice the contradiction sitting right there in the same document.
There is also the timeline, which tells its own story. The author continued using Delve for months after developing serious concerns about the legitimacy of the product. During that entire period they kept their trust page published and actively used it to close commercial deals. They only took it down recently. Someone who genuinely believed they were being defrauded, and that their trust page contained fabricated security measures, would not keep using that trust page to sell to customers for months while preparing an exposé about compliance fraud. That is a choice the author made, and it is a choice that reflects on how seriously they actually took the concerns they are now presenting as urgent public interest journalism.
Redistributing Hundreds of Confidential Client Documents on a Public File Share Is a Serious Legal Problem
The author did not simply write an article. They downloaded hundreds of confidential audit reports belonging to real companies, uploaded them to a Mega.nz folder, published the link publicly inside their article, and invited anyone on the internet to access, browse, and download those reports. Those documents contain private signatures of named individuals, confidential architectural diagrams of company systems, personally identifiable information of corporate officers, and sensitive security configuration details. None of the companies whose reports ended up in that Mega folder authorized the author to download their documents, host them on a public file share, or redistribute them to the general public. None of them were asked. None of them consented.
The author appears to be treating this as straightforward whistleblowing, the idea being that because the spreadsheet was publicly accessible due to Delve's error, anyone was entitled to download whatever they found there and do whatever they wanted with it. That is not how the law works. A document being accidentally exposed is legally and meaningfully different from that exposure granting authorization to downstream parties to download, retain, and publish the contents. Courts have addressed situations where parties knowingly accessed and redistributed materials they understood to be accidentally exposed rather than deliberately shared. The Computer Fraud and Abuse Act has been applied in scenarios with a similar structure to this one, and whether the author's conduct here constitutes unauthorized access and redistribution is a question with real legal stakes.
The GDPR dimension of this situation is, honestly, almost poetic given the context. The author spends considerable space in the article warning about the GDPR exposure that Delve's clients are facing because of inadequate compliance practices. The author is, right now, today, as of the date this analysis was published, operating a publicly accessible file share containing hundreds of documents that almost certainly include personal data relating to EU residents, given the international composition of the named client list. Hosting and publicly distributing personal data of EU residents without a legal basis for doing so is a GDPR violation. The author built a significant portion of their fraud argument around GDPR compliance failures and is simultaneously committing a GDPR violation of their own in the process of making that argument. That is not a minor irony; it is a substantive legal problem that supervisory authorities can and do investigate.
Every company whose confidential documents are sitting in that Mega folder right now has independent legal standing to pursue a takedown and to seek damages from whoever put them there. Delve's report templates are embedded in every one of those documents, which gives Delve a copyright infringement claim and straightforward DMCA standing to demand removal from Mega.nz without needing to file a lawsuit first. Mega is legally required to respond to valid DMCA takedown notices. The affected client companies should know this. Their legal teams, if they have not already been alerted, should be looking at this situation right now.
Six People Were Named by Someone Who Refuses to Name Themselves
The article identifies six individuals by name: Karun Kaushik, Selin Kocalar, Charles Nwatu, Taher Lokhandwala, Isaiah de la Fuente, and Varun Gurnaney. For each of them, the author states that they knowingly participated in deliberate misconduct. Calling someone a knowing participant in deliberate fraud is about as serious an allegation as you can make about a private individual. These people have careers, professional reputations, and livelihoods that are directly affected by having their names attached to those words in a document that has now been shared widely across the compliance and startup communities. And the person who made those allegations about them refuses to identify themselves.
The author published under a pseudonym. They disclosed no personal identity, no employer, no professional background in compliance or auditing, and no potential conflicts of interest. They coordinated the investigation with colleagues from multiple companies whom they also declined to identify. They sought no comment from any of the six named individuals before publishing. They offered no right of reply. That last point deserves particular emphasis because it is so far outside the basic standards of responsible publication: if you are going to name a private individual and call them a knowing participant in deliberate fraud, the absolute minimum standard of fairness is that you ask them about it first. The author did not do that for a single one of the six people they named.
The specific evidence used to implicate Selin Kocalar and Taher Lokhandwala personally is weak enough that it genuinely should not have survived editorial review if anyone responsible was looking at this piece critically. The author concludes that Selin Kocalar was personally involved in setting up the report generation tool because an email address that appears to match her name showed up in one spreadsheet test row. That is the whole evidentiary basis for that conclusion. Any Delve employee could have typed her email address into a test field during product development for any number of reasons. The Taher Lokhandwala implication rests on the string 'Taher re mariala' appearing in another test row, which the author treats as evidence of personal involvement in fraud. These are test data entries from a development spreadsheet, and the inferential leap from 'your name appears in a test field' to 'you knowingly participated in deliberate misconduct' is enormous and unsupported.
Anonymous authorship does not provide legal immunity from defamation claims. Substack has legal mechanisms in place for identifying anonymous authors when there is a credible claim of illegal conduct or defamation involved, and courts can compel that identification through discovery. Each of the six named individuals has their own independent standing to pursue this. Given what has been alleged about them specifically, they and their counsel should be exploring those options seriously.
This Was a Coordinated Campaign That Got Packaged and Presented as Independent Journalism
The author describes organizing the investigation in collaboration with colleagues from multiple Delve client companies. None of those colleagues are identified anywhere in the piece. The author does not name a single one of them, does not identify which companies they work for, and does not disclose any of their potential conflicts of interest. Every piece of corroborating testimony that supports the narrative in sections two through four of the original article comes from these unnamed, unverifiable, undisclosed sources. A reader has no way to evaluate who those people are, what they stand to gain from this publication, whether they have any competitive relationship to Delve, or whether their accounts are accurate.
The article was completed, by the author's own statement, as of mid-January 2026. It was published on March 19, 2026. That is a gap of roughly two months between when the investigation concluded and when it was published. The author does not explain this gap anywhere in the piece. They do not say whether they consulted lawyers during this period, whether they attempted to sell the story to an established publication, whether they gave Delve any private opportunity to respond before going public, or what the strategic reasoning behind the timing was. A two-month gap followed by a coordinated public release with a live Mega data dump attached to it, labeled as 'Part I' with more installments presumably coming, has the shape of a planned campaign rather than a journalist sitting on a story to make sure the reporting is solid.
Then there is the question of who sent the original email, which is frankly the most underexamined part of this entire story. Before the DeepDelver article existed, before the author started writing, someone sent a sophisticated email to hundreds of Delve clients alerting them to the leaked spreadsheet and making specific technical allegations about Delve's report generation process. That email required the sender to have Delve's complete client list, which is confidential commercial information. It required technical knowledge sufficient to analyze the report generation process and articulate allegations about it coherently. And it required access to the leaked materials early enough to analyze them before Delve had restored access controls. The author builds the entire foundation of their piece on materials that originated from this person and never once asks who they are, how they obtained Delve's private client list, or what their relationship to the compliance industry might be.
Delve has stated that they believe competitors are responsible for the campaign against them. The author dismisses this claim without actually investigating it. The profile of the person who sent that original email; someone technically sophisticated, in possession of confidential client data, motivated to cause damage, and operating with apparent advance knowledge of the breach... that profile does not obviously match a random dissatisfied customer who happened to be on the client list. If the original sender turns out to have a competitive relationship to Delve, the entire framing of the DeepDelver article as independent whistleblowing collapses completely. That question deserves an answer, and the author chose not to pursue it.
There is also a small but telling detail in the article's closing section, where the author adds a footnote mentioning CompAI by name. The piece is ostensibly about Delve. There is no obvious editorial reason to name a competitor in a closing footnote without explaining the relationship. The author never discloses whether they have any connection to CompAI, whether any of their unnamed collaborators are affiliated with CompAI, or why that company warranted a mention at all. It is a small detail but it is exactly the kind of thing that raises reasonable questions about whose interests this publication actually serves.
The Author Almost Certainly Violated Their Confidentiality Agreement With Delve
Standard B2B software agreements include mutual confidentiality provisions covering internal platform details, proprietary processes, pricing information, and internal communications. The author's company signed a contract with Delve to access their platform and services. That contract almost certainly included confidentiality obligations of this kind. The article then proceeds to publish internal screenshots of the Delve product interface in significant detail, document the full trajectory of internal pricing negotiations including specific dollar amounts and what was offered at each stage, describe the content of internal communications between Delve staff and the author's team, and comprehensively reverse-engineer what the author describes as Delve's proprietary report generation methodology.
This is a contract breach claim that exists entirely separately from the data redistribution problem, and it is one that covers the editorial substance of the article itself rather than just the Mega folder. The scope of the confidentiality exposure here is potentially broad, and it gives Delve an additional independent legal basis to seek identification of the anonymous author through discovery, entirely separate from any defamation theory or data-related claim. This is worth understanding clearly: Delve may have multiple simultaneous legal avenues to identify who wrote this, and the author's anonymity is considerably less protective than they may have assumed when they decided to publish.
Where the Evidence in the Article Actually Holds Up and Where It Falls Apart
To be direct about this: the textual similarity analysis across 493 reports is real evidence that is genuinely difficult to explain away with innocent interpretations. If 99.8% of client reports share identical specific phrases, including phrases with grammatical errors that would only be consistent across documents if they were generated from a single source, that is a meaningful finding. The script error messages appearing in production client documents are real and they are the kind of artifact that results from automated generation processes, not manual assembly. The test values propagating from a development spreadsheet into live client files are real. The author's central claim that Delve was generating reports programmatically rather than having auditors compose them independently from scratch is supported by this evidence in a way that Delve's public denials have not meaningfully addressed.
But there is a significant analytical problem with how the author handles that finding, which is that they treat template use and auditor non-review as the same thing when they are two separate claims. A compliance platform using standardized report scaffolding does not, by itself, prove that auditors signed off without reviewing any underlying evidence. The author establishes convincingly that Delve generated reports from templates. They never close the loop on whether the named auditing firms conducted any genuine review of client evidence before signing those reports. Those are different claims and they require different evidence. The gap between them is where Delve's strongest defense argument lives, and the article never actually addresses it.
The 259 of 259 identical conclusions for event-dependent controls are presented throughout the article as deeply suspicious, but the author undercuts his own argument here by acknowledging that these conclusions cover controls that could not be tested because the triggering event never occurred; a security incident that did not happen, a personnel change that did not take place, a customer termination that did not occur. That is genuinely standard SOC 2 audit language for controls where there is nothing to test. The identical phrasing across all documents is consistent with template generation, but the underlying conclusion itself is procedurally appropriate and the author's framing of it as suspicious glosses over his own acknowledgment that these conclusions are standard practice.
The SimStudio situation is another place where the author's argument overreaches in a way that weakens the whole piece. SimStudio is MIT-licensed open source software. Under an MIT license, anyone is permitted to deploy, modify, and commercialize the software for any purpose, including building a commercial product on top of it, without being legally required to disclose that they did so. Claiming to have 'built something from the ground up' when you have deployed an open source tool is dishonest and the author is right to call it out as such. But the author never establishes what specific legal obligation or contractual promise Delve violated by doing it, and without that, the SimStudio point is an example of a company being misleading rather than an example of fraud.
The Market Itself Has Not Responded the Way the Article's Claims Would Predict
Here is something that genuinely deserves more attention than it has received in the discussion around this article: if Delve's SOC 2 reports were as obviously and fundamentally deficient as the author describes, with identical boilerplate descriptions across every client, the same templated controls for every company regardless of their actual security posture, and conclusions that were written before anyone reviewed any evidence... the enterprise security teams receiving those reports would have noticed. Fortune 500 procurement and vendor security teams employ professionals who evaluate compliance documentation as a core part of their jobs. Those people have looked at hundreds of SOC 2 reports from dozens of different auditors and platforms. They know what a properly constructed SOC 2 report looks like and they know what a cut-and-paste job looks like. The fact that Delve was successfully landing enterprise deals, and that clients were renewing after their first engagement, suggests that at least some of those reports were clearing enterprise review processes conducted by people who do this professionally.
The author names Lovable, Bland, Incorta, HockeyStack, Duos Edge AI, and several other funded companies as affected parties throughout the piece. Those companies have their own legal and communications teams. They have been named in a widely circulated article alleging that their compliance documentation is fraudulent and that their security posture has been misrepresented to their own customers. Not one of those companies has publicly stated that they were misled, that their Delve reports were rejected by enterprise customers, or that they experienced any actual harm from using Delve's services. That silence is not neutral; it is the absence of corroboration from the parties the author most prominently identifies as victims.
Delve raised $32 million from Insight Partners in a Series A round. Before that they went through Y Combinator. They were covered favorably by Forbes. Insight Partners runs one of the more thorough due diligence operations in growth equity; they are specifically focused on software companies and they have seen enough compliance and security vendors to know what questions to ask. YC has its own technical and commercial review process. The author never addresses why multiple sophisticated institutional actors with significant financial interests, professional due diligence obligations, and genuine expertise in evaluating software companies all failed to identify the systematic fraud that the author found through a few weeks of document analysis. That gap in the argument matters and the article provides no answer for it.
The Author Never Reported Any of This to Any Regulator
This is, when you sit with it for a moment, quite remarkable. The author spends thousands of words describing what they call criminal HIPAA violations affecting millions of Americans' healthcare data, GDPR violations affecting EU residents, professional ethics violations by multiple named audit firms operating under AICPA standards, and potential securities fraud implications for a publicly traded company. Every one of those categories of alleged violation has a specific regulatory authority that exists specifically to investigate it. HHS enforces HIPAA. EU data protection authorities enforce GDPR. The AICPA has professional conduct and ethics processes for licensed firms. The SEC investigates securities fraud.
The author did not contact any of them. There is no mention anywhere in the article of reporting these findings to HHS, filing a complaint with a data protection authority, alerting the AICPA about the named audit firms, or contacting the SEC about the publicly traded company. The author describes violations that they frame as urgent, criminal, and affecting millions of people... and then published a Substack post with a Mega data dump attached to it. If the violations described in this article are real and as serious as the author claims, the regulatory bodies with jurisdiction over those violations should have this information. Filing a complaint with the AICPA about an audit firm suspected of rubber-stamping reports costs nothing. Reporting HIPAA violations to HHS is exactly what HHS's reporting mechanisms exist for. The author did none of this. They published a Substack article instead. That choice says something about the actual purpose of this publication that the author does not address anywhere in the piece.
Nobody Asked the Auditing Firms What They Actually Did
The article names Accorp, Glocert, Accorian, Gradient Certification, Prudence Advisors, and BQC Assessment as audit firms that rubber-stamped reports without conducting genuine independent review. These are real businesses with real employees whose professional reputations and livelihoods are directly implicated by those allegations. The author did not contact a single one of them before publishing. None of them were given any opportunity to describe their engagement processes, explain what review they actually conducted, respond to the specific evidence the author compiled, or dispute any of the claims made about them.
The author's treatment of these firms as inherently suspect because several of them are India-based also deserves examination. The AICPA has international members and internationally based firms are permitted to perform SOC 2 attestation engagements. The author frames the India location as self-evidently a problem throughout the piece without ever establishing what specific regulatory requirement makes a firm based in India categorically ineligible to conduct these audits. There may be a genuine argument here about whether those firms meet specific independence and qualification standards, but the author never makes that argument with precision; they rely instead on the implication that foreign means fraudulent, which is a meaningfully different claim and a weaker one.
There Are No Identified Victims in This Entire Article
Real investigative journalism about fraud finds the people who were actually harmed by the conduct being exposed. The piece makes sweeping claims about criminal HIPAA exposure for hundreds of companies, GDPR fines for processing EU resident data without adequate safeguards, enterprise customers being deceived into commercial relationships based on fraudulent compliance documentation, and millions of Americans whose healthcare data is at risk because companies handling their PHI are not actually compliant. Every one of those claims implies real harm to real people and organizations. The author produced none of them.
There is no enterprise customer quoted anywhere in this piece saying that a Delve SOC 2 report misled them into a vendor relationship that exposed their data. There is no patient whose healthcare records were compromised because a healthcare company obtained a fraudulent HIPAA compliance certification through Delve. There is no investor on record saying they funded a company in reliance on compliance documentation that turned out to be fabricated. The entire harm case in the article is theoretical; a chain of inferences from product deficiencies to imagined downstream consequences that the author never documents actually occurring in the real world with real people and real damages.
A product that relies heavily on templates, requires more manual work than its marketing implies, and has auditing relationships that raise independence questions is a product with real problems worth discussing. Those problems exist on a spectrum and they are worth the industry's attention. Systematic criminal fraud creating HIPAA liability for hundreds of companies and putting millions of Americans' healthcare data at risk is a different and far more serious claim, and it requires documented real-world harm to real people to support it. The author found evidence for the former and asserted the latter, and the piece does not clearly distinguish between those two very different things.
Conclusion
The compliance industry matters because it protects real people. When companies claim to meet security and privacy standards they have not actually achieved, the downstream consequences fall on patients whose medical records get exposed, on employees whose personal data gets mishandled, and on the customers of every company that made business decisions based on compliance certifications that did not represent reality. Holding compliance vendors accountable for what they promise versus what they deliver is genuinely important work.
But the work of holding vendors accountable carries its own obligations. Publishing under your own name. Offering the people you are accusing the chance to respond before you publish. Going to regulators when you believe you have evidence of criminal violations affecting millions of people. Not hosting hundreds of confidential third-party documents on a public file share. Not spending thousands of words accusing a company of fraud while simultaneously confessing in the same document that you participated in your own version of the same misconduct.
Some of what the DeepDelver article documents about Delve's report generation process raises real questions that deserve serious attention from the AICPA, from enterprise procurement teams, and from companies evaluating compliance automation vendors. Those questions are worth pursuing through the channels that exist precisely for that purpose. The way this particular author chose to raise them, anonymously, with named individuals attached, through a coordinated campaign with undisclosed participants, while personally hosting a live data breach, while declining to contact any regulator about violations they describe as criminal and urgent... that approach raises its own questions that deserve the same scrutiny the author demanded of Delve.
If the evidence here is as strong as the author claims, the regulators should have it. The AICPA should have it. HHS should have it. The SEC should have it. The affected companies should have it through proper legal channels. The author gave it to Substack instead, with a Mega link attached, labeled as Part I, with more coming. That is a campaign. And campaigns have authors, funders, beneficiaries, and motives that are just as worth examining as the companies they target.
