Startup accelerator Y Combinator has parted ways with Delve, the compliance startup currently battling allegations of fraud, intellectual property misuse and data security lapses. Founded by 21-year-old MIT dropouts Selin Kocalar and Karun Kaushik, Delve was accused last month of providing fake security certificates to clients, as well as stealing an existing open-source tool and selling it as their own product.
The accusations were first published in an anonymous Substack post by a whistleblower calling themselves “DeepDelver”.
Karun Kaushik on fraud allegations
Karun Kaushik, the Indian-origin co-founder and CEO of Delve, addressed the controversy surrounding the compliance startup in a video and a blog post shared Friday.
In the video statement shared on X on Friday night, Karun Kaushik and chief operating officer Selin Kocalar denied claims that Delve provided “Potemkin audits” to its clients. “Potemkin audits” are audits that are fake, created to give the appearance of compliance without actually verifying anything.
Sharing the video on X, Kaushik insisted that the allegations stemmed from a coordinated cyberattack using stolen and misrepresented data rather than legitimate whistleblowing.
“There’s been a lot of allegations against Delve. But we haven’t been able to share our side of the story until today due to ongoing cybersecurity and forensics investigations,” he said.
(Also read: )
“That said, we grew too fast and fell short of our own standard. To our customers, we deeply apologize for the inconveniences caused. We take these allegations seriously and have made changes: a new auditor network, free re-audits and pentests for all customers, enhanced transparency in audit communications, and more,” Kaushik clarified.
Not a whistleblower
However, the CEO of Delve insisted that the allegations stemmed from a malicious actor and not an actual whistleblower. He said that a person had purchased a Delve service under false pretences, used it to access company data, and started a smear campaign.
“The evidence we have points to a targeted cyberattack from a malicious actor, not a “.” We believe the attacker purchased Delve under false pretenses, exfiltrated internal company data, and used it to launch a coordinated smear campaign,” Kaushik said on X.
The whistleblower, DeepDelver, had described themselves as a former Delve customer and shared several posts accusing the startup of passing off an open source tool from Sim.ai as its own.
In its statement, Delve refuted these allegations. “The anonymous posts rely on a mix of fabricated claims, cherry-picked screenshots, and data taken out of context.
“For example, the post dismisses our AI while acknowledging it automated 70% of a security questionnaire, highlights a single manual integration while ignoring 600+ automated tests, and falsely claims we “stole” from another YC company when in reality we built on an Apache 2.0 open-source repository, which explicitly permits commercial use, and significantly rebuilt it for compliance use cases. They also mischaracterize our use of policy templates, which are standard across every compliance platform,” the startup said.
(Also read: )
