I'm getting the impression that a lot of people in this thread think this is because they violated an open-source license and saying things to the effect of, "they're just the ones who got caught". I also thought that was the scandal initially. (And when it comes to license violations, yes, there's absolutely more where that came from.)
But that's just the cherry on top. I don't think they're being thrown out because they violated a license. There are really serious fraud allegations. Allegedly they were rubber-stamping noncompliant customers, leaving them exposed to potential criminal liability under regulations like HIPPA.
YC has no problem with morally questionable behavior, many YC startups do things that are just as shady. YC is, ultimately, not responsible for what these startups choose to do. Delve’s problem is that they betrayed so many other YC companies in the process. An important value of being in YC is access to a ready-made customer base. The licensing issue is nothing compared to their fake audits but it is an affront to the YC community, hence, kicked from the community.
I’m sure if Delve has only engaged in fraudulent audits or had only resold another YC company’s product, they would have been allowed to stay, the problem is all of that combined pissed off enough other YC companies.
Scribd are quite annoying. The pitch was "the YouTube for documents" allowing stuff to be posted and shared but they tend to try and get subscription money off you to see anything unlike the likes of YouTube.
I think when making the claim a company is a net negative, it's necessary to explore what would have happened if the company hadn't been founded.
I find it unlikely, for example that there would not be a dominant centralized forum platform. People would have certainly started problematic communities on the dominant platform, and it's unlikely a platform with strict moderation would have gained dominance before 2015 or so. I do think a dominant player would have been established by 2015.
Do you think whatever you see as harmful about Reddit would not have occurred if the company didn't exist?
It would have happened more slowly at least, delaying the increase in populism, nihilism and depression in the Western world, the anglosphere in particular.
What traits specific to Reddit as opposed to a hypothetical generic alternative forum platform do you think are major contributors to those social trends?
Recommendation engine pushing users into ideological bubbles, public voting mechanism creating incentive for conformity which then creates purity spirals, lack of moderation.
Early Reddit had a recommended tab, but that didn't last long. The current recommendation features are relatively recent - this decade at least.
It would surprise me if the winner in that space didn't have a public voting mechanism. Digg, Reddit's early major competitor had one, and heavy-handed moderation surrounding the HD-DVD decryption key leak was one of the major inflection points that drove users from Digg to Reddit. Stricter moderation during that time period would have been a losing strategy.
The “I just have the arsonist the match, I didn’t tel him to strike it” approach of tech bros has caused untold damage to the world over the last 20
Years.
I think it’s partly that, but also that when you have something that is toxic, radioactive and on fire on your ship, you shove it overboard, and assess just how bad the damage was afterwards.
>Pre-written audit conclusions. The "Independent Service Auditor's Report" and all test conclusions were already filled in before clients had even submitted their company descriptions...
>Copy-paste templates. 493 out of 494 leaked SOC 2 reports (99.8%) had identical text, same grammatical errors, same nonsensical descriptions...
There's an excellent podcast and writeup on this from Patrick mcKenzie, which explains the story in more detail, including an interpretation of their statement and background on why this is a scandal in the first place.
I came across a top tier compliance auditor doing the same thing recently. I tried to talk to them about it and rather than approaching this from a constructive point of view they wanted to know the name of the company that got certified so they could decertify them and essentially asked me to break my NDA. That wasn't going to happen, I wanted to have a far more structural conversation about this and how they probably ended up missing some major items (such as: having non-technical auditors). They weren't interested. They were not at all interested in improving their processes, they were only interested in protecting their reputation.
I'm seriously disgusted about this because this was one of the very few auditors that we held in pretty high esteem.
Pay-to-play is all too common, and I think that there is a baked in conflict of interest in the whole model.
Yes. But I'm not working at either company and I'm 99.9% sure that it would lead to absolutely nothing other than a lot of misery for myself. The NDA's I sign have some pretty stiff penalties attached. I was actually hoping to see my trust in the auditing company confirmed and I'm still more than a little bit annoyed that they did not respond in a more constructive way.
My response however is a simple one: I used to steer (a lot of) business their way and I have stopped doing that.
I've already established that it was improper. It's up to them to make the most of that knowledge and then to determine of this is a singleton or an example of a class that has more representation. In that sense it is free to them, I'm under absolutely no obligation to provide them with a service. But I'm willing to expend the time and effort required to get them to make the most of it. What I'm not going to do is to allow them to play the blame game or 'shoot the messenger'.
I didn't mean it as a criticism, I think giving them the opportunity to improve and refusing to offer a scapegoat were both standup things to do. I'm just wondering if they were ever in a position to take that opportunity.
Similar boat. Seen the same shenanigans being played with actors who really should know better - everything from military secrets to medical data, and absolutely YOLOing it with an audit mill. I have it on good authority that there are superuser credentials floating around for their production systems that they’ve lost track of.
And no, I won’t whistleblow either, as it would mostly be me that would face repercussions, and I am unafraid to say that I am a coward.
We choose the battles we fight, and I’d like to believe that ultimately, entropy will defeat them without me lifting a finger.
I'd called out fraud (blatant lying in investor updates) at a VC backed startup where I was a technical co-founder, once. I emailed all the investors and presented all the evidence to them. They decided to not rock the boat and keep my charlatan co-founder. So, I left. Now, the company is slowly bleeding to death.
There are thousands of companies where the shady practices are rewarded, the companies thrive and make money for the investors. So the investors are incentivized to reward this behavior just on the chance that they are rewarded back.
Whistleblowing sinks those chances and the investors and VCs know it. It doesn' just take away the money, it even takes away the plausible deniability. They put a lot of effort to absolutely punish any whistleblower to discourage the rest. Anything for a dollar. and this is probably all you'll ever need to know about almost every VC out there. Beyond the witty "I'm rich so I'm smart" blog posts and tweets, they're very much just the "anything for a dollar" type of people.
To be fair, I’m not sure blatant lying in investor updates alone constitutes fraud. There needs to be harm (or the intent thereof) AFAIK. The other party needs to be using that information to make a decision. If you give me a dollar and then later I tell you I’m actually Beyonce, is that fraud? Or am I just a lying sonofabitch?
If I give you a dollar and you say it’s being spent wisely, Beyonce loves the product, you’re about to land Taylor Swift as pro bono public ambassador… yeah that’s fraud.
It's auditing, nobody that is good at doing anything goes to auditing, unfortunately its one of those jobs. I haven't interacted with any auditor that actually understood all they were auditing, some are better than others but the average is worse than almost any other job description I have dealt with.
If you care about this stuff you need to in-house auditing and do your own audits with people who care. Then get certified by an external auditor for the paper.
You can start very lightweight with doing spec driven development with the help of AI if you're at a size where you can't afford that. It's better than nothing.
But the important part is you, as a company, should inherently care.
If you rely on an auditor feedback loop to get compliant you've already lost.
Nobody really tries to get technical people to do the work.
Like cool, it's a great idea and would potentially produce positive results if done well, but the roles pay half the engineering roles, and the interviews are stacked towards compliance frameworks.
There's very little ability to fix a large public company when HR is involved
But companies don't care. They don't want compliance for feel goods, they want compliance because their partners require it. They do the minimum amount required to check the box
Caring about security and comparing about some of the arbitrary hoops you have to jump through for some of these compliance regimes don’t always overlap as much as you’d expect.
I’ve been at companies where we cared deeply about security, but certain compliance things felt like gimmicks on the side. We absolutely wanted to to do the minimum required to check that box so we could get back to the real work.
The industry is paid to provide a fig leaf for shady practices. Everyone knows what's going on, no one is going to do anything about it unless governments step in and give regulators more resources and more teeth, and "errors" lead to prosecutions and jail time.
None of those are likely.
This is the industry that missed Enron, WorldCom, Wirecard, Lehman, and many others.
You should check out the banking industry sometime if you'd like to interact with a competent auditor.
Compliance gets taken quite seriously in an industry where one of your principal regulatory bodies has the power to unilaterally absorb your business and defenestrate your entire leadership team in the middle of the night.
I've seen this up close. The regulatory bodies as a rule are understaffed, overworked and underpaid. I'm sure they'd love to do a much better job but the reality is that there are just too many ways to give them busywork allowing the real crap to go unnoticed until it is (much) too late.
Because they’re put there as a box ticking exercise without ever being given the power or resources to be able to do damage or negatively impact the bottom line of the big rule breakers. It’s just supposed to maintain the appearance of doing something without ever supporting these activities for real. For the most part they are a true Potemkin village. If the risk is diffuse (just some average Joe suckers will lose money) I wouldn’t hold my breath that anyone is controlling for real.
lol strongly agree it is just cherry on top. In big tech they also copy but just copy in a smart way so I don't believe that's the reason they got removed.
Someone leaked an internal Bookface chat from Garry Tan (YC CEO) saying:
We have asked Delve to leave YC.
YC is a community, not just an accelerator. The founders in our community have to trust each other, and we have to trust them. When that trust breaks down, there's really only one thing to do.
We're not going to get into the details publicly. We wish them well.
Someone doing harm to you doesn't automatically mean you wish harm to them. Not that I necessarily take what Garry says at face value but it's definitely possible to unironically take this viewpoint.
People don’t realize that the people at the top of organizations are effectively like politicians in democratic systems only the vote comes in confidence; usually manipulative, lying, and deceptive because they are inherently dependent on maintaining perception of the people they rely on and underpin their roles and power.
One way in which they do that is to ride or effectively are selected by the system for their mastery of the psychological trick of positivity and optimism that predisposes people to follow and trust, e.g., even when someone betrays you, you “wish them well.
In such systems, courage and hard lines that enforce strict rules, discipline, and principles does not provide the leaders in that system the affordances and benefits of leadership. As has been indicated, the subject behaviors are not only not novel, nor are they unique. What precipitated this current action appears to be the egregious and probably violative nature of the behavior, not the behavior itself. The veneer of perception was pierced, which is the real trigger of action.
Just use my saying what I just said above as an example, there will be people who have not even read this last paragraph and will it will have the urge to down vote what I said solely on the basis that they want to punish me, the messenger, because I’m pointing out things that are very much true and not saying it in a positive manner. It causes feelings of discomfort and especially in American society today where everything is geared towards positivity and good feelings opium, not bad feelings, even if you’re being scammed or defrauded or lied to, you have to remain positive, say things in positive ways, be “constructive”.
I don’t know if it’s sustainable because it’s such a con job at its very core, an abusive confidence trick, maintaining the perception of confidence and optimism to keep people happy and positive and optimistic regardless of red flags; however, we shall all find out one day if no one being able to deal with reality anymore if it’s not wrapped some nicety, is sustainable. Hence, “They violated us/me” but “I wish them well”. See, they are wished well, so everything is fine and we just removed the bad apple, nothing to see here, keep being positive as the telescreen instructs you to.
"I don't want to associate with you" and "You betrayed my trust" are two different things. The latter says you intentionally caused me harm, the former does not. I don't consider it normal to wish well on people who intentionally cause me harm.
That’s an oversimplification of what your parent comment said, which was someone who has betrayed your trust.
> It would be interesting if you didn't
Why? What’s interesting about it? You don’t have to actively wish harm on people who harmed you, but there’s nothing strange about not wishing them well.
You make it sound like wishing harm or wishing wellness are activities while not wishing anything is just the default passive state. To me the default posture is not indifference, but wishing wellness.
We throw around words like "interesting", which is a subtle way to say "not normal", which is a subtle way to say that that's not how we would behave and that we think that others shouldn't behave that way either. So I take back what I said about what is interesting to me, and I'll just say that I wish it was normal to wish well to others, regardless of their actions or repercussions you impose on them.
> You make it sound like wishing harm or wishing wellness are activities while not wishing anything is just the default passive state.
Not what I said.
> To me the default posture is not indifference, but wishing wellness.
Same here. I’m not convinced that’s the default state for everyone, though. David Foster Wallace’s “This is Water” comes to mind.
> We throw around words like "interesting", which is a subtle way to say "not normal", which is a subtle way to say that that's not how we would behave and that we think that others shouldn't behave that way either.
Sure, I get that. Though you’re still answering as if what was in question was the neutral state of “people you don’t associate with” rather than the negative state in question mentioned by your original parent comment of “someone who has wronged you”.
> I'll just say that I wish it was normal to wish well to others, regardless of their actions or repercussions you impose on them.
Interesting. No criticism on my part. My wish would rather be that we don’t wrong each other (which, crucially, requires intentionality) in the first place. And while I don’t typically wish ill on others, I don’t think it’s wrong to not wish well on those who cause harm. If you’re a despot oppressing millions of people for your own selfish benefit, I don’t really think wishing you well is a positive action.
But again, no judgement, I was trying to understand your position, so thank you for clarifying. Have a nice weekend.
The ironic usage makes for compelling dialogue and comports with stereotypes about Southerners as formal/restrained. So that's what ends up on television. At least that is how I think I came about having that impression.
I was half-joking, but if YC has a legal issue resulting from the alleged fraud (unclear currently), kicking out the company for the lesser infraction would make more sense.
Investors aren't on the hook for the bad behavior of companies they invest in. Quite the opposite: Defrauding investors (and acquirers, and creditors) is commonly the thing that lands people like Elizabeth Holmes in prison.
Ycombinator may have financially benefited from the scam operations since the company subsequently raised funds.
Considering they do due diligence before investment and are experts in IT and legal, how could they not know what is the business model when it was the unique selling point ?
Yeah, yeah... of course, of course... like telehealth companies prescribing GLP-1 Ozempic/Wegovy where there is one doctor for 10000 patients. Totally sounds legit.
I wonder if the kind of personality that gets you on 30U30 correlates with being willing to engage in massive fraud, and being able to get away with it for a minute.
Holmes, SBF, Shkreli, Charlie Javice, Ishan Wahi...
When ambitious competitors who can't accept loss or normalcy enter into a field that's saturated with skilled rule-abiding players, they'll cheat.
Hypercompetitive fields will always surface cheaters given enough time. Then regulations pile on to fight the cheating, which makes it harder for honest people to do the good work.
We do not punish cheaters like these as much as we should.
You know, after all this time Lucas Duplan doesn't seem so bad. His hubristic sin was posing for a photo burning fake hundred dollar bills. That just seems like a random Tuesday now.
If I remember correctly, you need to be nominated by someone to be considered for the 30U30 list. Some of the people on those lists will literally run their own campaigns to get on the list, meaning that they'll pay people to nominate them, pay PR firms to run stories and campaigns. Other people do seemingly nothing, and just get nominated by legit people that admire them.
So, I'm fairly certain lists like that will attract some amount of unscrupulous narcissists.
I'd focus less on the U30 part, and more on the 30U, if that makes sense — the problem is with people who seek that sort of attention (and that 79 year old certainly qualifies as wanting that sort of attention). For those people, their businesses are a means to an end in the most cynical way possible.
Speak for yourself. I'm O18 and I don't want him in there like you claim to. Most of his base claimed to be anti-pedo until they saw the evidence in the unredacted subset of the Epstein files that Congress legally forced him to release, and now suddenly they're pro-pedo (and pro-war and pro-bombing-schoolchildren). But you be you, and make baseless evidence-free false equivalence accusations against other people to justify the rapes and legally adjudicated sexual assault and pussy grabbing by the guy you as an "O18" claim you want in there.
They've graduated 5,000+ companies, so some fraud is hard to avoid, especially with young hungry founders willing to do anything to succeed. Honestly, it's a pretty good track record that there's only been a handful of companies like this.
this is a teachable moment for yc, maybe the cost of investing in a sour apple is a lot more than half a mil, maybe there's a brand or reputational cost, even in places you least expect it right, these two seemingly had everything laid out for them by investors, did they even come up with compliance? who told them to work on that? now look what happened, it's like everyone cant get far enough fast enough now. What about their lead investor insight partners? what's that conversation like?
it's all just very strange and stupid, ironically from the the startup posing as auditors..
Every single technical auditor I've dealt with has been majorly incompetent and wanted to do things that would decrease security. And these were not some cheap bottom of the barrel companies but the big "industry leaders".
Sure, most companies could add an About section and probably put this behind them pretty quickly. They could have even hired someone like Delve to assure this kind of thing wouldn’t happen again.
But Delve themselves can’t really do any of that. They’ve screwed up on a fundamental piece of their own business model. Their core offering *is* Compliance as a Service!
How could I trust their word that they’ll ensure my company is compliant? How could I trust their word that a company I’m doing business with is compliant? They can’t even handle their own Apache 2.0 licensed works, and that’s child’s play- relatively speaking. I’m supposed to trust that they can handle PCI and HIPPA and all the rest for other companies?
This is like having a dentist who doesn’t brush and floss their own teeth. Or a building inspector working out of a moldy office suite with exposed rebar. Or an editor with a personal website full of typos and grammatical errors. It’s a dealbreaker to anyone with common sense.
Unlike Zenefits, which had (allegedly?) committed fraud for part of their business in the interest of moving faster, and then Parker came back with Rippling…
These guys’ entire and actual business model was fraud.
> Below are just some of the many inaccuracies in the story and then the truth.
> The Substack inaccurately said Delve relies on “Indian certification mills operating through front companies” and cannot pass legitimate audits. This too is not accurate.
At least it's not GPT but my goodness - you can definitely sense the panic. I think Karun is a little worried.
Neither. "Leaving YC" or "being removed from Y combinator" really just means you (more precisely, your YC/HN account) loses access to internal resources like bookface. This does have the knock on effect of essentially isolating you from the community. It's not entirely a punishment, it can be as simple as you are a person who isn't working on a YC company anymore, for example.
This has zero bearing on equity, which would be a different conversation. In this case, I think the YC SAFE is likely to remain as-is, unless the founders choose to return the money, or YC chooses to levy a heavier allegation of fraud (which they don't seem to have done here).
Great to see them take action.
I'm waiting for cambioml next. A married couple notorious for fraud that apparently relocated to ME as a result. That's outside of the terrible treatment of ripping off interviewees (see: https://www.reddit.com/r/devops/comments/1n7cdua/got_a_devop...). Won't even comment on other stories I've heard related to them screwing over employees/cofounders.
On the one hand the company that was selling companies pre-made “You’re hipaa compliant” pdfs was doing fraud, but on the other hand the companies that were buying “We’re hipaa compliant” pdfs that said they had implemented compliance measures that they definitely hadn’t were also doing fr
Its quite ironical and interesting at the same time, seems like there is a threshold size/impact beyond which everyone would come and save you, anything less and you will have to bear the consequences.
While I do think Delve and the leadership there should be held responsible, it's a bit weird to see YC and others take shots at them for breaking the law when so many of their prized unicorns achieved what they did by being willing to just ignore laws and deal with the consequences later.
While I agree with you, I also find myself wondering who draws the line. Given the current political atmosphere and its increasingly fluid relationship with "truth," I have to consider that the line for others may not be where it is for me — especially given the nuance buried in the details of many B2B deals.
Their value prop had to be strong enough to get past YC, past the other founders in the batch, past due diligence. Given that, I'm no longer comfortable casting "fraud" as a clean binary.
To be clear — I do genuinely believe they are a fraudulent company that lied and deserved to be removed. But introspectively, I have to sit with the fact that the space between "working around dumb regulations" and "outright fraud" is murkier than we'd like to admit.
The vast majority of crimes are still being prosecuted as such. You have to reach a certain size/notoriety and money to buy a POTUS pardon; I doubt that matters for a relatively unknown outfit like Delve.
3. Customers want to do something, you help them do it, and nobody has done it before, so whether it's legal or not is kind of up in the air.
E.G. Uber exploited a legal loophole that distinguished the kind of taxi service you hail on the street from the kind of taxi service you call on a phone.
The latter were much less regulated, and usually much more exclusive and pandering to a richer crowd. Nobody really knew which kind Uber should be classified as, it was the first kind in practice (same customer base as normal taxis) but the second in theory (ordered, not hailed).
Let me more clearly instead say that many successful startups knowingly and intentionally broke the law.
But I agree that Delve is a special case and should naturally be held to a higher standard here because their whole business is around being compliant with the law. When most other startups break the law, they do it to get an advantage over competition. Delve did it in a way that sacrificed their core value towards customers.
The difference is that Airbnb customers used Airbnb because they thought hotel regulations were dumb and overbearing (or at least, they didn't care about the laws). Delve customers were literally trying to obey the law and Delve (allegedly) lied to them about it.
There is a difference between "fake it till you make it" and "blatant widespread fraud", but the line is blurrier than many startups would like to admit.
> Ignoring a law is different from knowingly and intentionally breaking the law
This is like a line from a Naked Gun movie. The only way that this sentence could be true linguistically is if the party doesn’t break the law that they’re ignoring (e.g. I could ignore the rule against perpetuities while drunk driving through a zoo)
I think it's fairly straight forward why. It's because Delve broke the law and got other YC companies in trouble vs other industries & people not under the YC banner.
Like, it's a company that sells AI-slop powered regulatory compliance. How many laws do you think the "fake it ill you make it and you'll never make it" AI will break? But "regulatory compliance" is laws that startups hate, so breaking them is good.
Copyright and the copyleft licenses built upon it are the laws that support the software industry instead of just making sure innocent people aren't hurt by all this innovating and disrupting.
YC needs to go back to how it was. Choosing those who know what they are doing, and have been in the game for long and not blindly choose those who have graduated from tier-1 institutions. University degrees mean nothing at the end of the day.
And please stop investing in slop/wrappers. They do not solve World's problems.
I feel there has been complacency set into investing in general where investors are chasing quick money (first crypto and now AI slop) over solving hard/grueling problems that take a long time to fix but have huge returns down the line.
And we have a lot of tough problems that still need solving. AI won't magically fix that, despite being a great tool.
Yeah, used to be that a lot of companies in the batches made more or less sense, or you could at least see how they'd made sense if they managed to successfully reach their vision, even if it many times was a bit wishy-washy.
YC since then seems to have moved into a "spray and pray" approach where the ideas don't matter at all, they're 150% in on the "We invest in founders" idea now, almost too much, although I know that's always been a thing they've thought about. But all the batches since some years ago are just so uninspired and seem to be quick cash grabs, or obviously acquisition targets, rather than "solve a problem you experience yourself" which seemed to be much more popular (and realistic) before.
>choose those who have graduated from tier-1 institutions. University degrees mean nothing at the end of the day.
It means everything for YC's model.
YC does not care about the software.
They care about the founders.
YC's model and ecosystem is explicitly designed to be a who's who club of interconnected founders that are very, very encouraged to """rely""" on each other when building their companies.
YC uses a lot of double speak regarding this ecosystem, but if you explained the concept to a layman on the street they'd tell you exactly what this concept is in just a very few, very blunt words.
Elite-class founders and lots of cheap, imported, or "passionate" labor.
Having gone through the SOC2 process multiple times and having worked with and read SOC2 reports from many public companies, it's difficult for me to understand the outrage.
The specific fraud allegations are bad (lying about US based auditors) but it's completely normal and common for soc2 reports to be templates with no company specific information. It would be unusual for reports to include anything about the specific information found during an observation window as some have suggested.
SOC2 is basically fake and it isn't possible in practice to fail to be compliant. You really can apply the same template to all companies and automate the audit process.
We have done SOC2 and it's not fake. Its real and enforced some good practices and we spent a lot of time collecting evidence and submitting it. You can take it seriously or you can choose not to.
There are typically two soc2 reports generated from an audit. The first is the one for general use, often just shared publicly. This is probably what you look at from public companies that you have no binding relationship with. The other is the restricted use report which details all the findings and controls. That is typically only shared under NDA.
This is where I'd actually appreciate "blog spam" i.e. a quick post to mention the URL, link to archive to show what was there before and explain the significance.
So they decide to drop this from their COO while their CEO has been doing all the talking on a friday night? Looks like YC told them they had to announce this and this was their least-viewable option.
"By combining the evidence I collected together with what the sim.ai team provided, I will show that Delve has stolen an open-source company’s tech by violating their license and then making a lot of money with it."
->
You mean like OpenAI, Anthropic and all these other 'unicorns'?
I'm happy we're all clear on how bad Delve is but in essence what they were doing is exactly the same as what these AI companies do.
While I despise the sham commercial LLMs have made out of intellectual property, I think Delve is one step worse than that. The technology behind LLMs is innovative, even if the data used to train them have ethically and legally dubious origins. Delve doesn’t even have the ability to claim anything they’ve done as original, unless you count fraud as a service.
The only thing that makes delve worse in my book is that they're selling compliance, they have zero excuses. But the likes of OpenAI and Anthropic even if they don't sell compliance do whitewash bulk copyright violations and they have valuations far in excess of Delve. Too big to fail I guess.
The headline here says "Delve removed from Y Combinator", but the link doesn't go to a statement by Y Combinator. It goes to a 404.
Is there reason to believe that Delve has been removed from Y Combinator, the organization, or is this more an announcement that Delve has been removed from Y Combinator's website?
Interesting! I worked for one YC startup that committed blatant fraud, with the founders vanishing when investors started chasing them to bring them to responsibility. And they haven't been removed. Just marked as "inactive".
Nope. Founders just disappeared with whatever money was left.
They claimed to have a working product and a big list of paying clients while in fact they had a half-assed prototype written by one hapless dude who they paid to the tune of $15 an hour. Which i helped to transform into a somewhat-better prototype and they paid very well for it. But no actual paying clients ever existed and the idea was obviously brain-dead from day one. After they got tired of pretending, they stopped paying, then disappeared. Then years later i read in the news that subsequent investors launched an investigation into fraud and they were put on the list in some countries.
I'm sure no one except themselves ever made any money on it, certainly not YC.
Pretty disgusting behavior from the founders just posting as normal on linkedin/twitter as if this is run-of-the-mill. Fraudsters need to be nipped in the bud, lest we get trump-like scenarios.
YC invests in military startups, they have no problem killing people if it would make them money. What makes a fake HIPPA compliance cert worse than that?
Fairly inevitable. Like all YC companies, they were total frauds, but they made the cardinal mistake of defrauding other YC companies instead of the general public. Bad move.
This thread is going to use very dressed up and lofty language discussing the issue, in order for the express purpose of dancing around the fundamental issue here.
Y Combinator as a concept, and all of its "children" are rotten to the core.
Every single company is "evil" in some form, and not in the usual "private companies are big baddies" kind of way. They grossly and recklessly violate laws and ethical boundaries day in and day out.
The sooner people are even willing to entertain this, the sooner we can have actual conversation around these issues.
I'm getting the impression that a lot of people in this thread think this is because they violated an open-source license and saying things to the effect of, "they're just the ones who got caught". I also thought that was the scandal initially. (And when it comes to license violations, yes, there's absolutely more where that came from.)
But that's just the cherry on top. I don't think they're being thrown out because they violated a license. There are really serious fraud allegations. Allegedly they were rubber-stamping noncompliant customers, leaving them exposed to potential criminal liability under regulations like HIPPA.
https://deepdelver.substack.com/p/delve-fake-compliance-as-a...
I've only skimmed this so I do not endorse these allegations, but I think it's context missing from this discussion.
YC has no problem with morally questionable behavior, many YC startups do things that are just as shady. YC is, ultimately, not responsible for what these startups choose to do. Delve’s problem is that they betrayed so many other YC companies in the process. An important value of being in YC is access to a ready-made customer base. The licensing issue is nothing compared to their fake audits but it is an affront to the YC community, hence, kicked from the community.
I’m sure if Delve has only engaged in fraudulent audits or had only resold another YC company’s product, they would have been allowed to stay, the problem is all of that combined pissed off enough other YC companies.
> YC is, ultimately, not responsible for what these startups choose to do.
Of course they're responsible for their investments; they're just not liable. YC has a lot to answer for in the damage it's wreaked over the years.
> YC has a lot to answer for in the damage it's wreaked over the years.
What damage is that? (excluding the present case)
How about the privacy darling Flock?
> What damage is that? (excluding the present case)
That seems to be an introspective question.
They’re responsible for the existence of scribd. Not aware of any other obviously socially net negative companies.
For the uninformed what’s the deal with scribd?
Scribd are quite annoying. The pitch was "the YouTube for documents" allowing stuff to be posted and shared but they tend to try and get subscription money off you to see anything unlike the likes of YouTube.
Flock
Airbnb
Reddit
I think when making the claim a company is a net negative, it's necessary to explore what would have happened if the company hadn't been founded.
I find it unlikely, for example that there would not be a dominant centralized forum platform. People would have certainly started problematic communities on the dominant platform, and it's unlikely a platform with strict moderation would have gained dominance before 2015 or so. I do think a dominant player would have been established by 2015.
Do you think whatever you see as harmful about Reddit would not have occurred if the company didn't exist?
It would have happened more slowly at least, delaying the increase in populism, nihilism and depression in the Western world, the anglosphere in particular.
What traits specific to Reddit as opposed to a hypothetical generic alternative forum platform do you think are major contributors to those social trends?
Recommendation engine pushing users into ideological bubbles, public voting mechanism creating incentive for conformity which then creates purity spirals, lack of moderation.
Early Reddit had a recommended tab, but that didn't last long. The current recommendation features are relatively recent - this decade at least.
It would surprise me if the winner in that space didn't have a public voting mechanism. Digg, Reddit's early major competitor had one, and heavy-handed moderation surrounding the HD-DVD decryption key leak was one of the major inflection points that drove users from Digg to Reddit. Stricter moderation during that time period would have been a losing strategy.
That's mostly imputable to Facebook, Twitter, and Instagram. Reddit is a footnote in the mainstream, which is dominated by those 3.
Given the number of Reddit users across the Anglosphere, I disagree that Reddit is not a major contributor.
The “I just have the arsonist the match, I didn’t tel him to strike it” approach of tech bros has caused untold damage to the world over the last 20 Years.
I'm not saying you're wrong, but a blanket "untold damage" statement won't carry an argument here, you need to be specific.
But then it wouldn't be untold
> YC is, ultimately, not responsible for what these startups choose to do.
Formally they might not be (depends on the case), but morally they are.
I think it’s partly that, but also that when you have something that is toxic, radioactive and on fire on your ship, you shove it overboard, and assess just how bad the damage was afterwards.
Of course, giving money to terrorists also doesn't make the side giving money responsible /s
The delusions people establish to feel better about their or someone else they like mistakes...
There's quite a good summary of the allegations here https://www.reddit.com/r/startups/comments/1rz15ui/i_will_no...
>Pre-written audit conclusions. The "Independent Service Auditor's Report" and all test conclusions were already filled in before clients had even submitted their company descriptions...
>Copy-paste templates. 493 out of 494 leaked SOC 2 reports (99.8%) had identical text, same grammatical errors, same nonsensical descriptions...
There's an excellent podcast and writeup on this from Patrick mcKenzie, which explains the story in more detail, including an interpretation of their statement and background on why this is a scandal in the first place.
https://www.complexsystemspodcast.com/episodes/delve-into-co...
I came across a top tier compliance auditor doing the same thing recently. I tried to talk to them about it and rather than approaching this from a constructive point of view they wanted to know the name of the company that got certified so they could decertify them and essentially asked me to break my NDA. That wasn't going to happen, I wanted to have a far more structural conversation about this and how they probably ended up missing some major items (such as: having non-technical auditors). They weren't interested. They were not at all interested in improving their processes, they were only interested in protecting their reputation.
I'm seriously disgusted about this because this was one of the very few auditors that we held in pretty high esteem.
Pay-to-play is all too common, and I think that there is a baked in conflict of interest in the whole model.
Have you considered whistleblowing?
Yes. But I'm not working at either company and I'm 99.9% sure that it would lead to absolutely nothing other than a lot of misery for myself. The NDA's I sign have some pretty stiff penalties attached. I was actually hoping to see my trust in the auditing company confirmed and I'm still more than a little bit annoyed that they did not respond in a more constructive way.
My response however is a simple one: I used to steer (a lot of) business their way and I have stopped doing that.
Wouldn't it require a huge leap of faith for them to admit the audit was improper in order to have that discussion? Who's to say you aren't recording?
I've already established that it was improper. It's up to them to make the most of that knowledge and then to determine of this is a singleton or an example of a class that has more representation. In that sense it is free to them, I'm under absolutely no obligation to provide them with a service. But I'm willing to expend the time and effort required to get them to make the most of it. What I'm not going to do is to allow them to play the blame game or 'shoot the messenger'.
I didn't mean it as a criticism, I think giving them the opportunity to improve and refusing to offer a scapegoat were both standup things to do. I'm just wondering if they were ever in a position to take that opportunity.
Hard to tell. But given that it was their legal department contacting me I think you know the answer to that one.
Similar boat. Seen the same shenanigans being played with actors who really should know better - everything from military secrets to medical data, and absolutely YOLOing it with an audit mill. I have it on good authority that there are superuser credentials floating around for their production systems that they’ve lost track of.
And no, I won’t whistleblow either, as it would mostly be me that would face repercussions, and I am unafraid to say that I am a coward.
We choose the battles we fight, and I’d like to believe that ultimately, entropy will defeat them without me lifting a finger.
I'd called out fraud (blatant lying in investor updates) at a VC backed startup where I was a technical co-founder, once. I emailed all the investors and presented all the evidence to them. They decided to not rock the boat and keep my charlatan co-founder. So, I left. Now, the company is slowly bleeding to death.
> Now, the company is slowly bleeding to death.
There are thousands of companies where the shady practices are rewarded, the companies thrive and make money for the investors. So the investors are incentivized to reward this behavior just on the chance that they are rewarded back.
Whistleblowing sinks those chances and the investors and VCs know it. It doesn' just take away the money, it even takes away the plausible deniability. They put a lot of effort to absolutely punish any whistleblower to discourage the rest. Anything for a dollar. and this is probably all you'll ever need to know about almost every VC out there. Beyond the witty "I'm rich so I'm smart" blog posts and tweets, they're very much just the "anything for a dollar" type of people.
To be fair, I’m not sure blatant lying in investor updates alone constitutes fraud. There needs to be harm (or the intent thereof) AFAIK. The other party needs to be using that information to make a decision. If you give me a dollar and then later I tell you I’m actually Beyonce, is that fraud? Or am I just a lying sonofabitch?
It's encouraging future investment on a false pretext. I'd say that's fraud.
If I give you a dollar and you say it’s being spent wisely, Beyonce loves the product, you’re about to land Taylor Swift as pro bono public ambassador… yeah that’s fraud.
It's auditing, nobody that is good at doing anything goes to auditing, unfortunately its one of those jobs. I haven't interacted with any auditor that actually understood all they were auditing, some are better than others but the average is worse than almost any other job description I have dealt with.
If you care about this stuff you need to in-house auditing and do your own audits with people who care. Then get certified by an external auditor for the paper.
You can start very lightweight with doing spec driven development with the help of AI if you're at a size where you can't afford that. It's better than nothing.
But the important part is you, as a company, should inherently care.
If you rely on an auditor feedback loop to get compliant you've already lost.
This function exists in every publicly traded public company, and is called internal audit.
It has the potential to be incredibly impactful, but often devolves into box ticking (like many compliance functions).
And it's really hard to find technical people to do the work, as it's generally perceived as a cost centre so tends not to get budget.
Nobody really tries to get technical people to do the work.
Like cool, it's a great idea and would potentially produce positive results if done well, but the roles pay half the engineering roles, and the interviews are stacked towards compliance frameworks.
There's very little ability to fix a large public company when HR is involved
To be honest, I would even go further: if you think certification equals security, you are even more lost.
So many controls are dubious, sometimes even actively harmful for some set-ups/situations.
And even moreso, it's also perfectly feasible to pass the gates with a burning pile of trash.
And they do not track the industry at all, at best they'll help you win the war of five years ago.
Imagine my face when I had to take periodic backups of stateless, immutable read-only filesystem, non-root containers for "compliance".
That's hilarious :)
Ook goeiemorgen...
But companies don't care. They don't want compliance for feel goods, they want compliance because their partners require it. They do the minimum amount required to check the box
Caring about security and comparing about some of the arbitrary hoops you have to jump through for some of these compliance regimes don’t always overlap as much as you’d expect.
I’ve been at companies where we cared deeply about security, but certain compliance things felt like gimmicks on the side. We absolutely wanted to to do the minimum required to check that box so we could get back to the real work.
The industry is paid to provide a fig leaf for shady practices. Everyone knows what's going on, no one is going to do anything about it unless governments step in and give regulators more resources and more teeth, and "errors" lead to prosecutions and jail time.
None of those are likely.
This is the industry that missed Enron, WorldCom, Wirecard, Lehman, and many others.
I suspect many AI startups will be on that list in 2-5 years.
You should check out the banking industry sometime if you'd like to interact with a competent auditor.
Compliance gets taken quite seriously in an industry where one of your principal regulatory bodies has the power to unilaterally absorb your business and defenestrate your entire leadership team in the middle of the night.
They could. But they don't.
I've seen this up close. The regulatory bodies as a rule are understaffed, overworked and underpaid. I'm sure they'd love to do a much better job but the reality is that there are just too many ways to give them busywork allowing the real crap to go unnoticed until it is (much) too late.
Because they’re put there as a box ticking exercise without ever being given the power or resources to be able to do damage or negatively impact the bottom line of the big rule breakers. It’s just supposed to maintain the appearance of doing something without ever supporting these activities for real. For the most part they are a true Potemkin village. If the risk is diffuse (just some average Joe suckers will lose money) I wouldn’t hold my breath that anyone is controlling for real.
All LLMs do this, yet nobody bats an eye.
lol strongly agree it is just cherry on top. In big tech they also copy but just copy in a smart way so I don't believe that's the reason they got removed.
hipaa*
Someone leaked an internal Bookface chat from Garry Tan (YC CEO) saying:
https://x.com/___4o____/status/2040271468874076380I have no direct knowledge of the accuracy of any of this. This is not my account.
"They've betrayed my trust but I wish them well" is an interesting statement.
Someone doing harm to you doesn't automatically mean you wish harm to them. Not that I necessarily take what Garry says at face value but it's definitely possible to unironically take this viewpoint.
It’s what you say to establish it’s a professional action taken for business reasons.
The gstack is also pretty interesting.. well, not really
It's the polite way of saying goodbye when you actually mean "eff off"
People don’t realize that the people at the top of organizations are effectively like politicians in democratic systems only the vote comes in confidence; usually manipulative, lying, and deceptive because they are inherently dependent on maintaining perception of the people they rely on and underpin their roles and power.
One way in which they do that is to ride or effectively are selected by the system for their mastery of the psychological trick of positivity and optimism that predisposes people to follow and trust, e.g., even when someone betrays you, you “wish them well.
In such systems, courage and hard lines that enforce strict rules, discipline, and principles does not provide the leaders in that system the affordances and benefits of leadership. As has been indicated, the subject behaviors are not only not novel, nor are they unique. What precipitated this current action appears to be the egregious and probably violative nature of the behavior, not the behavior itself. The veneer of perception was pierced, which is the real trigger of action.
Just use my saying what I just said above as an example, there will be people who have not even read this last paragraph and will it will have the urge to down vote what I said solely on the basis that they want to punish me, the messenger, because I’m pointing out things that are very much true and not saying it in a positive manner. It causes feelings of discomfort and especially in American society today where everything is geared towards positivity and good feelings opium, not bad feelings, even if you’re being scammed or defrauded or lied to, you have to remain positive, say things in positive ways, be “constructive”.
I don’t know if it’s sustainable because it’s such a con job at its very core, an abusive confidence trick, maintaining the perception of confidence and optimism to keep people happy and positive and optimistic regardless of red flags; however, we shall all find out one day if no one being able to deal with reality anymore if it’s not wrapped some nicety, is sustainable. Hence, “They violated us/me” but “I wish them well”. See, they are wished well, so everything is fine and we just removed the bad apple, nothing to see here, keep being positive as the telescreen instructs you to.
"they can fuck off from where they came" would be a bit too intense even for Gary
I guess if he told them "die slow motherfuckers" as he's told others that wouldn't be too intense for him.
“We’re keeping our distance but we still own a piece of their company” might have done it?
Everyone one of us makes mistakes. Wish all well and see what the future brings.
Don't you wish well on people you don't want to associate with? It would be interesting if you didn't, imo.
"I don't want to associate with you" and "You betrayed my trust" are two different things. The latter says you intentionally caused me harm, the former does not. I don't consider it normal to wish well on people who intentionally cause me harm.
> people you don't want to associate with
That’s an oversimplification of what your parent comment said, which was someone who has betrayed your trust.
> It would be interesting if you didn't
Why? What’s interesting about it? You don’t have to actively wish harm on people who harmed you, but there’s nothing strange about not wishing them well.
You make it sound like wishing harm or wishing wellness are activities while not wishing anything is just the default passive state. To me the default posture is not indifference, but wishing wellness.
We throw around words like "interesting", which is a subtle way to say "not normal", which is a subtle way to say that that's not how we would behave and that we think that others shouldn't behave that way either. So I take back what I said about what is interesting to me, and I'll just say that I wish it was normal to wish well to others, regardless of their actions or repercussions you impose on them.
> You make it sound like wishing harm or wishing wellness are activities while not wishing anything is just the default passive state.
Not what I said.
> To me the default posture is not indifference, but wishing wellness.
Same here. I’m not convinced that’s the default state for everyone, though. David Foster Wallace’s “This is Water” comes to mind.
> We throw around words like "interesting", which is a subtle way to say "not normal", which is a subtle way to say that that's not how we would behave and that we think that others shouldn't behave that way either.
Sure, I get that. Though you’re still answering as if what was in question was the neutral state of “people you don’t associate with” rather than the negative state in question mentioned by your original parent comment of “someone who has wronged you”.
> I'll just say that I wish it was normal to wish well to others, regardless of their actions or repercussions you impose on them.
Interesting. No criticism on my part. My wish would rather be that we don’t wrong each other (which, crucially, requires intentionality) in the first place. And while I don’t typically wish ill on others, I don’t think it’s wrong to not wish well on those who cause harm. If you’re a despot oppressing millions of people for your own selfish benefit, I don’t really think wishing you well is a positive action.
But again, no judgement, I was trying to understand your position, so thank you for clarifying. Have a nice weekend.
It's giving Gwyneth Paltrow at the conclusion of her ski crash trial.
"I wish them well" is an idiom for "I never want to see them again".
Kinda like "bless your heart", which means nothing of the sort.
Why do non-Southerners keep insisting on this? Bless your heart can be said sincerely or ironically, like pretty much any other phrase.
You mean kinds like "I wish them well" here?
My comment is an internet comment about idioms, not a comprehensive linguistic treatise.
You seem like you're looking for something to be upset about. I wish you well.
The ironic usage makes for compelling dialogue and comports with stereotypes about Southerners as formal/restrained. So that's what ends up on television. At least that is how I think I came about having that impression.
but should it be?
"Bless their little hearts"
Apparently Garry Tan has the same warm feelings and friendly relationship with Delve as Trump has with Ghislaine Maxwell.
Trump On Ghislaine Maxwell: "I Just Wish Her Well" | NBC News
https://www.youtube.com/watch?v=jC2jsRrzCrs
The text implies it’s more due to the alleged license violation of a YC startup’s IP than the alleged fraud.
Really? I know nothing about this other than what I've read here, but my first guess was the breakdown in trust means the allegations of fake audits.
I was half-joking, but if YC has a legal issue resulting from the alleged fraud (unclear currently), kicking out the company for the lesser infraction would make more sense.
Investors aren't on the hook for the bad behavior of companies they invest in. Quite the opposite: Defrauding investors (and acquirers, and creditors) is commonly the thing that lands people like Elizabeth Holmes in prison.
Ycombinator may have financially benefited from the scam operations since the company subsequently raised funds.
Considering they do due diligence before investment and are experts in IT and legal, how could they not know what is the business model when it was the unique selling point ?
Because Delve defrauded them.
Yeah, yeah... of course, of course... like telehealth companies prescribing GLP-1 Ozempic/Wegovy where there is one doctor for 10000 patients. Totally sounds legit.
It is very clearly the fake audits.
Hi, sorry, just new to this entire story, could you please share light on the fake audits? Trying to understand what exactly happened.
https://deepdelver.substack.com/p/delve-fake-compliance-as-a...
Thanks!
Garry Tan is an absolute loser but this is a huge W from him.
This other profile is still up:
https://www.forbes.com/profile/delve/
30U30 never ceases to amaze.
I wonder if the kind of personality that gets you on 30U30 correlates with being willing to engage in massive fraud, and being able to get away with it for a minute.
Holmes, SBF, Shkreli, Charlie Javice, Ishan Wahi...
When ambitious competitors who can't accept loss or normalcy enter into a field that's saturated with skilled rule-abiding players, they'll cheat.
Hypercompetitive fields will always surface cheaters given enough time. Then regulations pile on to fight the cheating, which makes it harder for honest people to do the good work.
We do not punish cheaters like these as much as we should.
When the stakes are high, non-compliance with the rules or the law might be worth the risk, see professional athletes and drug cheats, right?
Karma and integrity seem to be treated as an overdraft. But these folks are hardly held back by the systems they work in.
You know, after all this time Lucas Duplan doesn't seem so bad. His hubristic sin was posing for a photo burning fake hundred dollar bills. That just seems like a random Tuesday now.
Naming his startup “Clinkle” should have been a crime, though.
That was epicly horrid.
"that gets you on", ie. the kind of personality that literally pays & hustles to be featured on such a list to fuel their own ego?
colour me surprised
people still seem to think that forbes scouts the world for the best talents instead of the lists being basically a paid ad
If I remember correctly, you need to be nominated by someone to be considered for the 30U30 list. Some of the people on those lists will literally run their own campaigns to get on the list, meaning that they'll pay people to nominate them, pay PR firms to run stories and campaigns. Other people do seemingly nothing, and just get nominated by legit people that admire them.
So, I'm fairly certain lists like that will attract some amount of unscrupulous narcissists.
Yes? I mean, 30U30 has probably some, let's say, "PR steering" behind it
Not "Pay2Win" but possibly something less involved
Not sure it's exclusively a U30 thing. When it comes to grift and fraud, a well known 79 year old comes to mind.
I'd focus less on the U30 part, and more on the 30U, if that makes sense — the problem is with people who seek that sort of attention (and that 79 year old certainly qualifies as wanting that sort of attention). For those people, their businesses are a means to an end in the most cynical way possible.
Who rapes and bombs schools full of U18 children.
That is just what the O18 want in there. Last one also got their role because that. Doing it in public on camera.
Speak for yourself. I'm O18 and I don't want him in there like you claim to. Most of his base claimed to be anti-pedo until they saw the evidence in the unredacted subset of the Epstein files that Congress legally forced him to release, and now suddenly they're pro-pedo (and pro-war and pro-bombing-schoolchildren). But you be you, and make baseless evidence-free false equivalence accusations against other people to justify the rapes and legally adjudicated sexual assault and pussy grabbing by the guy you as an "O18" claim you want in there.
30 Under 30 to Life
Forbes MOST WANTED
30U30D30
It's not just about delve. It's about yc's model. YC encourages YC companies to trust other YC companies even though they are early.
If you can't trust your batch mates for something as crucial as compliance, the model doesn't work.
They've graduated 5,000+ companies, so some fraud is hard to avoid, especially with young hungry founders willing to do anything to succeed. Honestly, it's a pretty good track record that there's only been a handful of companies like this.
It's precisely because they graduated 5000+ companies that fraud is more difficult to avoid.
They scaled up massively the size of each batch and their frequency to a point where they are incapable of auditing them.
Maybe someone should start an auditing company for YC... oh
There is too much friction in the audit process… someone needs to solve this
this is a teachable moment for yc, maybe the cost of investing in a sour apple is a lot more than half a mil, maybe there's a brand or reputational cost, even in places you least expect it right, these two seemingly had everything laid out for them by investors, did they even come up with compliance? who told them to work on that? now look what happened, it's like everyone cant get far enough fast enough now. What about their lead investor insight partners? what's that conversation like?
it's all just very strange and stupid, ironically from the the startup posing as auditors..
Seems crazy that anyone (startups and buyers) would trust these guys for audit.
Shows the “compliance theatre” of what SOC2 has become
It's always been one.
Every single technical auditor I've dealt with has been majorly incompetent and wanted to do things that would decrease security. And these were not some cheap bottom of the barrel companies but the big "industry leaders".
Never forget https://serverfault.com/questions/293217/our-security-audito...
Oh my, that is so funny and terrifying, but also exactly what my first expectation is for a consultancy firm
It can work under the umbrella of some sort of coordinator
That looks like what happened here.
Sure, most companies could add an About section and probably put this behind them pretty quickly. They could have even hired someone like Delve to assure this kind of thing wouldn’t happen again.
But Delve themselves can’t really do any of that. They’ve screwed up on a fundamental piece of their own business model. Their core offering *is* Compliance as a Service!
How could I trust their word that they’ll ensure my company is compliant? How could I trust their word that a company I’m doing business with is compliant? They can’t even handle their own Apache 2.0 licensed works, and that’s child’s play- relatively speaking. I’m supposed to trust that they can handle PCI and HIPPA and all the rest for other companies?
This is like having a dentist who doesn’t brush and floss their own teeth. Or a building inspector working out of a moldy office suite with exposed rebar. Or an editor with a personal website full of typos and grammatical errors. It’s a dealbreaker to anyone with common sense.
You’re right, you can’t.
Unlike Zenefits, which had (allegedly?) committed fraud for part of their business in the interest of moving faster, and then Parker came back with Rippling…
These guys’ entire and actual business model was fraud.
Related: Delve allegedly forked an open-source tool and sold it as its own (295 points, yesterday, 153 comments) https://news.ycombinator.com/item?id=47615434
More likely related: Delve – Fake Compliance as a Service (836 points, 14 days ago, 323 comments) https://news.ycombinator.com/item?id=47444319
Sadly looks like another example of “fake it till you make it” in highly regulated industries is playing with fire.
Here is Delve’s defence to the whistleblower
https://delve.co/blog/response-to-misleading-claims
Wow, that writing is... earnest?
> Below are just some of the many inaccuracies in the story and then the truth.
> The Substack inaccurately said Delve relies on “Indian certification mills operating through front companies” and cannot pass legitimate audits. This too is not accurate.
At least it's not GPT but my goodness - you can definitely sense the panic. I think Karun is a little worried.
Curious - in this situation, does delve return money to YC? Or YC simply writes off the investment
Neither. "Leaving YC" or "being removed from Y combinator" really just means you (more precisely, your YC/HN account) loses access to internal resources like bookface. This does have the knock on effect of essentially isolating you from the community. It's not entirely a punishment, it can be as simple as you are a person who isn't working on a YC company anymore, for example.
This has zero bearing on equity, which would be a different conversation. In this case, I think the YC SAFE is likely to remain as-is, unless the founders choose to return the money, or YC chooses to levy a heavier allegation of fraud (which they don't seem to have done here).
The investment details really depends on the term sheet details
And I don't think this is just not "getting locked out of the website", but losing the YC "nod" is a greater deal in itself
Ya it’s a total write down, I dunno how much they took from YC, if it was the standard deal this is just the cost of doing business.
Based on?
Great to see them take action. I'm waiting for cambioml next. A married couple notorious for fraud that apparently relocated to ME as a result. That's outside of the terrible treatment of ripping off interviewees (see: https://www.reddit.com/r/devops/comments/1n7cdua/got_a_devop...). Won't even comment on other stories I've heard related to them screwing over employees/cofounders.
That reddit thread is brutal, knowingly making interviewees pay hundreds of dollars to interview in this economy is messed up.
Related from an hour earlier: Delve removed from YC website [archive.org] https://news.ycombinator.com/item?id=47634405
an example of why to avoid archive links in submissions (save 'em for comments), because the source link here will win.
But they "set the record straight"? Right? It was just a malicious actor who stole data from their system!
Good riddance to bad rubbish.
https://delve.co/blog/delve-sets-the-record-straight-on-anon...
Turns out you can't "fake it til you make it" with SOC2 compliance.
Fake it til you make it [into the news for fraud allegations].
Interestingly, they show up in the company list. When you click the link it returns 404.
https://www.ycombinator.com/companies/?query=delve
Probably just a means of updating the Algolia index.
From @patio11 a week ago: https://www.complexsystemspodcast.com/episodes/delve-into-co...
Duplicate of https://news.ycombinator.com/item?id=47634405
On the one hand the company that was selling companies pre-made “You’re hipaa compliant” pdfs was doing fraud, but on the other hand the companies that were buying “We’re hipaa compliant” pdfs that said they had implemented compliance measures that they definitely hadn’t were also doing fr
Its quite ironical and interesting at the same time, seems like there is a threshold size/impact beyond which everyone would come and save you, anything less and you will have to bear the consequences.
While I do think Delve and the leadership there should be held responsible, it's a bit weird to see YC and others take shots at them for breaking the law when so many of their prized unicorns achieved what they did by being willing to just ignore laws and deal with the consequences later.
Working around arguably dumb regulations and making your customers happy in the process is not the same as defrauding your customers.
While I agree with you, I also find myself wondering who draws the line. Given the current political atmosphere and its increasingly fluid relationship with "truth," I have to consider that the line for others may not be where it is for me — especially given the nuance buried in the details of many B2B deals.
Their value prop had to be strong enough to get past YC, past the other founders in the batch, past due diligence. Given that, I'm no longer comfortable casting "fraud" as a clean binary.
To be clear — I do genuinely believe they are a fraudulent company that lied and deserved to be removed. But introspectively, I have to sit with the fact that the space between "working around dumb regulations" and "outright fraud" is murkier than we'd like to admit.
The vast majority of crimes are still being prosecuted as such. You have to reach a certain size/notoriety and money to buy a POTUS pardon; I doubt that matters for a relatively unknown outfit like Delve.
> Working around arguably dumb regulations...
...is breaking the law
Yes, but there is a difference between:
1. Customers want to do something, you help them do it, but it's illegal.
2. Customers want to do something, you tell them you did it, but you were lying and defrauding them.
And
3. Customers want to do something, you help them do it, and nobody has done it before, so whether it's legal or not is kind of up in the air.
E.G. Uber exploited a legal loophole that distinguished the kind of taxi service you hail on the street from the kind of taxi service you call on a phone.
The latter were much less regulated, and usually much more exclusive and pandering to a richer crowd. Nobody really knew which kind Uber should be classified as, it was the first kind in practice (same customer base as normal taxis) but the second in theory (ordered, not hailed).
Ignoring a law is different from knowingly and intentionally breaking the law, especially when that law is actual intentional fraud.
Also, there was no “endgame.” They weren’t trying to change the law; they were exclusively breaking it for profit.
Let me more clearly instead say that many successful startups knowingly and intentionally broke the law.
But I agree that Delve is a special case and should naturally be held to a higher standard here because their whole business is around being compliant with the law. When most other startups break the law, they do it to get an advantage over competition. Delve did it in a way that sacrificed their core value towards customers.
that's defrauding the customer
this will literally get them in court
Yeah, precisely.
> Ignoring a law is different from knowingly and intentionally breaking the law
This is something Airbnb has facilitated for a very long time, no? And Uber, back when it started.
From a legal perspective I don’t see that it matters whether you’re trying to change the law or not. You’re either following it or breaking it.
Sure. Technically and legally, you’re right.
In reality, it makes quite a difference if public opinion is on your side or not.
“We decided to commit fraud by providing fake compliance reports” reads very differently from “we let homeowners make money by renting a room”
The difference is that Airbnb customers used Airbnb because they thought hotel regulations were dumb and overbearing (or at least, they didn't care about the laws). Delve customers were literally trying to obey the law and Delve (allegedly) lied to them about it.
> Ignoring a law is different from knowingly and intentionally breaking the law
Huh? In a legal sense I'm pretty sure they're the same thing.
I ignore the law every day when I jaywalk. Technically, you’re right that that is also breaking the law. I wasn’t being careful with my words.
How and why matters, though.
> How and why matters, though.
How and why you break a law matters (to a judge / jury). Whether you frame it as "ignoring" vs "breaking" in your legal defense, not so much.
I agree; I attempted to clarify that with my “not using words carefully” but that is a fair criticism of what I wrote.
That’s not how words work. This sentence
> I ignore the law every day when I jaywalk.
Means the exact same thing as “I intentionally break jaywalking laws every day”. They are equivalent sentences.
I agreed with you; that is why I said I wasn’t being careful with my language.
What does that mean
> I ignore the law every day when I jaywalk
Not illegal here, but I hope you not complain when caught and fined.
Jaywalking was illegal in NYC until 2025 but literally every crossing had people doing it constantly. This is not figurative, it actually is literal.
Including people doing it in front of police. Including the police themselves!
The law only existed for police to harass and fine blacks and Latinos. And indeed, that was how it was struck down.
It is critical to a just society that victims of unjust laws or uneven enforcement complain!
There is a difference between "fake it till you make it" and "blatant widespread fraud", but the line is blurrier than many startups would like to admit.
> Ignoring a law is different from knowingly and intentionally breaking the law
This is like a line from a Naked Gun movie. The only way that this sentence could be true linguistically is if the party doesn’t break the law that they’re ignoring (e.g. I could ignore the rule against perpetuities while drunk driving through a zoo)
I think it's fairly straight forward why. It's because Delve broke the law and got other YC companies in trouble vs other industries & people not under the YC banner.
The deal is to have plausible deniability and not get caught
Can you provide examples of YC startups that knowingly broke laws and just dealt with those issues later? I'm not very aware.
Airbnb, DoorDash
Uber
Uber is not YC backed.
Oh my context window is apparently too small
There's a sliding scale between fake it `till you make it and fraud.
Yeah, fraud is what happens when you don't make it.
Laws don't apply to you if you are big enough (e.g. AI companies)
fake it until you make it? at some point this attitudes of Silicon Valley start up will back fire.
They broke laws that programmers care about.
Like, it's a company that sells AI-slop powered regulatory compliance. How many laws do you think the "fake it ill you make it and you'll never make it" AI will break? But "regulatory compliance" is laws that startups hate, so breaking them is good.
Copyright and the copyleft licenses built upon it are the laws that support the software industry instead of just making sure innocent people aren't hurt by all this innovating and disrupting.
> At its core, this article argues that Delve fakes compliance while creating the appearance of compliance without the underlying substance.
Anderson Consulting er I mean "Accenture": "Hey, that's our job!"
PWC: "Yeah! Fuck off!"
KPMG: "Damn straight!"
Ernst & Young: "What they said."
Deloitte & Touche: "Ditto."
( https://en.wikipedia.org/wiki/Accounting_scandals#List_of_th... )
YC needs to go back to how it was. Choosing those who know what they are doing, and have been in the game for long and not blindly choose those who have graduated from tier-1 institutions. University degrees mean nothing at the end of the day.
And please stop investing in slop/wrappers. They do not solve World's problems.
I feel there has been complacency set into investing in general where investors are chasing quick money (first crypto and now AI slop) over solving hard/grueling problems that take a long time to fix but have huge returns down the line.
And we have a lot of tough problems that still need solving. AI won't magically fix that, despite being a great tool.
Yeah, used to be that a lot of companies in the batches made more or less sense, or you could at least see how they'd made sense if they managed to successfully reach their vision, even if it many times was a bit wishy-washy.
YC since then seems to have moved into a "spray and pray" approach where the ideas don't matter at all, they're 150% in on the "We invest in founders" idea now, almost too much, although I know that's always been a thing they've thought about. But all the batches since some years ago are just so uninspired and seem to be quick cash grabs, or obviously acquisition targets, rather than "solve a problem you experience yourself" which seemed to be much more popular (and realistic) before.
>choose those who have graduated from tier-1 institutions. University degrees mean nothing at the end of the day.
It means everything for YC's model.
YC does not care about the software.
They care about the founders.
YC's model and ecosystem is explicitly designed to be a who's who club of interconnected founders that are very, very encouraged to """rely""" on each other when building their companies.
YC uses a lot of double speak regarding this ecosystem, but if you explained the concept to a layman on the street they'd tell you exactly what this concept is in just a very few, very blunt words.
Elite-class founders and lots of cheap, imported, or "passionate" labor.
Let's get real here folks.
It starts from the top
Agreed.
Not surprising that Cluely is using them.. they were probably like, what we're compliant, sure if you say so
Having gone through the SOC2 process multiple times and having worked with and read SOC2 reports from many public companies, it's difficult for me to understand the outrage.
The specific fraud allegations are bad (lying about US based auditors) but it's completely normal and common for soc2 reports to be templates with no company specific information. It would be unusual for reports to include anything about the specific information found during an observation window as some have suggested.
SOC2 is basically fake and it isn't possible in practice to fail to be compliant. You really can apply the same template to all companies and automate the audit process.
We have done SOC2 and it's not fake. Its real and enforced some good practices and we spent a lot of time collecting evidence and submitting it. You can take it seriously or you can choose not to.
What evidence did you collect that was not automated?
There are typically two soc2 reports generated from an audit. The first is the one for general use, often just shared publicly. This is probably what you look at from public companies that you have no binding relationship with. The other is the restricted use report which details all the findings and controls. That is typically only shared under NDA.
I haven't seen that and all the reports I got were under nda
The only good delve is the go debugger
Can they keep their CISO out of jail?
An I the only one who has 404 not found when I click the link
That's the point...
which means it was removed...which is the entire point of the post bruv
This is where I'd actually appreciate "blog spam" i.e. a quick post to mention the URL, link to archive to show what was there before and explain the significance.
404s for me
I think that's the point - they have been removed.
That's the point.
Sorry! I thought it would be announcement. And it was subsequently taken down due to the HN interest.
streissand effect in action, surprised this thread was allowed to live.
hmm, how is this not like when Sam Altman was kicked out?
Post now seems deleted.....
Well, can see why...if its fraud you only post it when results of investigation by 3rd party is in due to defame concerns...
Bye-bye tweet from founder: https://x.com/kocalars/status/2040262537166618887
Notably YC hasn't wished them a farewell.
> striving to make the world a better place.
Why do all start-ups say this? I don't think there are many companies publicly saying "We're going to go 'scorched earth' on everybody."
Because if they had the money to be honest about it they'd not be a start-up!
It was a meme over a decade ago so prevalent that HBO's Silicon Valley did a joke about it: https://www.youtube.com/watch?v=B8C5sjjhsso
Saying it in 2026 just makes it sound more insincere than usual.
Oracle, right?
Striving to make the world a better place for us. Is what is implied.
funny thing about this tweet is the founder still couldnt stop herself from name dropping MIT
Much like their soc audits, her time at MIT was also incomplete. Still doesn’t stop them from cosplaying as a grad though!
Look at this series of tweets from her:
> One interesting observation I’ve noticed is a lot of top founders did oddly strong at math from a young age.
https://x.com/kocalars/status/2027076198002553159
Nauseating.
So they decide to drop this from their COO while their CEO has been doing all the talking on a friday night? Looks like YC told them they had to announce this and this was their least-viewable option.
At least they put a ladder up that tree
waiting on the cluely scandal next
Classic. I knew this would happen ever sine i first saw Delve on YC. I was right to trust my gut, and never used their product.
it felt very forced from the start, there was no iteration, narrative or pivots
who got these kids into compliance? cause it wasn't them
"By combining the evidence I collected together with what the sim.ai team provided, I will show that Delve has stolen an open-source company’s tech by violating their license and then making a lot of money with it."
->
You mean like OpenAI, Anthropic and all these other 'unicorns'?
I'm happy we're all clear on how bad Delve is but in essence what they were doing is exactly the same as what these AI companies do.
While I despise the sham commercial LLMs have made out of intellectual property, I think Delve is one step worse than that. The technology behind LLMs is innovative, even if the data used to train them have ethically and legally dubious origins. Delve doesn’t even have the ability to claim anything they’ve done as original, unless you count fraud as a service.
> Delve doesn’t even have the ability to claim anything they’ve done as original, unless you count fraud as a service.
I'd wager there's some prior art...
The only thing that makes delve worse in my book is that they're selling compliance, they have zero excuses. But the likes of OpenAI and Anthropic even if they don't sell compliance do whitewash bulk copyright violations and they have valuations far in excess of Delve. Too big to fail I guess.
Fraud as a service! The next big thing!!!
Presidential pardon insurance, like audit insurance but for breaking laws instead of filing taxes.
The headline here says "Delve removed from Y Combinator", but the link doesn't go to a statement by Y Combinator. It goes to a 404.
Is there reason to believe that Delve has been removed from Y Combinator, the organization, or is this more an announcement that Delve has been removed from Y Combinator's website?
Orwellian memory hole engaged.
I mean this is not the first time a YC company has stolen an open source project.
There is no saving Delve after this.
The only next product launch is an investigation.
friday news dump tho
Interesting! I worked for one YC startup that committed blatant fraud, with the founders vanishing when investors started chasing them to bring them to responsibility. And they haven't been removed. Just marked as "inactive".
What one? There’s little risk of naming the startup.
As early investors, did YC benefit from the fraud at the expense of the newer investors ?
Nope. Founders just disappeared with whatever money was left.
They claimed to have a working product and a big list of paying clients while in fact they had a half-assed prototype written by one hapless dude who they paid to the tune of $15 an hour. Which i helped to transform into a somewhat-better prototype and they paid very well for it. But no actual paying clients ever existed and the idea was obviously brain-dead from day one. After they got tired of pretending, they stopped paying, then disappeared. Then years later i read in the news that subsequent investors launched an investigation into fraud and they were put on the list in some countries.
I'm sure no one except themselves ever made any money on it, certainly not YC.
Pretty disgusting behavior from the founders just posting as normal on linkedin/twitter as if this is run-of-the-mill. Fraudsters need to be nipped in the bud, lest we get trump-like scenarios.
can't believe I almost spent 10 grand on this company a week before they blew up.
The two founders being early 20's with no background in compliance wasn't a red-flag?
Plus the 30u30 is now a signal.
I didn't know about them or think to check into the founders.
YC invests in military startups, they have no problem killing people if it would make them money. What makes a fake HIPPA compliance cert worse than that?
Fairly inevitable. Like all YC companies, they were total frauds, but they made the cardinal mistake of defrauding other YC companies instead of the general public. Bad move.
This thread is going to use very dressed up and lofty language discussing the issue, in order for the express purpose of dancing around the fundamental issue here.
Y Combinator as a concept, and all of its "children" are rotten to the core.
Every single company is "evil" in some form, and not in the usual "private companies are big baddies" kind of way. They grossly and recklessly violate laws and ethical boundaries day in and day out.
The sooner people are even willing to entertain this, the sooner we can have actual conversation around these issues.