DeepDelver Did What Internal Channels Should Have: Why Anonymous Reporting Prevents Scandals
A compliance company accused of faking compliance. The irony is obvious. But the real story isn't the alleged fraud. It's that the person who uncovered it had no anonymous reporting channel to use, so they published it on Substack for the world to see.
In March 2026, an anonymous whistleblower operating under the name "DeepDelver" published a detailed investigation accusing Delve, a Y Combinator-backed compliance startup valued at $300 million, of systematically faking SOC 2, ISO 27001, HIPAA, and GDPR compliance reports for hundreds of clients. The allegations included fabricated evidence of board meetings, rubber-stamp auditors, and trust pages listing security controls that were never implemented.
The fallout has been swift. Insight Partners scrubbed their investment thesis post. LiteLLM publicly dropped Delve and announced recertification with a different provider. Companies like Cluely, Lovable, Bland, HockeyStack, and Browser Use were named as affected clients.
But step back from the specifics for a moment. If you're a compliance officer, a general counsel, or a board member, the question that should keep you up isn't what Delve allegedly did. It's this: if someone at your organization, or one of your vendors, discovered something this serious, would they have a safe internal channel to report it? Or would they end up on Substack too?
What Happened: A Timeline
The sequence matters here because it shows exactly how long the gap existed between "people suspected something was wrong" and "the public found out." That gap is the window an internal reporting channel is designed to fill.
Late 2025: A spreadsheet containing links to confidential client audit reports leaks from Delve's systems. Former and current customers begin comparing notes.
December 2025: Delve CEO Karun Kaushik emails customers assuring them they are in compliance and that no external party gained access to sensitive data.
January 2026: A group of former Delve customers pool resources and begin a coordinated investigation, examining leaked data, audit reports, and the platform's actual implementation. At this point, multiple people have evidence of potential misconduct. None of them have a formal anonymous reporting channel to raise it through.
March 18, 2026: DeepDelver publishes "Fake Compliance as a Service, Part I" on Substack, laying out allegations with screenshots and documentation. The post accuses Delve of fabricating evidence, generating auditor conclusions on behalf of certification mills, and skipping major framework requirements while telling clients they had achieved 100% compliance.
March 21, 2026: TechCrunch publishes its first report. Delve responds on its blog, calling the Substack post "misleading" and characterizing itself as an "automation platform" that provides "templates," not pre-filled evidence.
March 23, 2026: Insight Partners scrubs its article explaining its $32 million investment in Delve. The article, titled "Scaling AI-native compliance," is preserved only on the Wayback Machine.
March 30, 2026: LiteLLM CTO Ishaan Jaffer publicly announces the company is dropping Delve and will pursue recertification with Vanta and an independent third-party auditor.
Security researcher James Zhou also reports finding vulnerabilities in Delve's external attack surface, including access to employee background checks and equity vesting schedules. Dvuln founder Jamieson O'Reilly corroborates the findings.
From the first leaked spreadsheet to the Substack post: roughly four months. Four months where people with evidence had nowhere to take it except to each other. That's the cost of not having reporting infrastructure.
Why DeepDelver Went Public
When TechCrunch asked DeepDelver why they remained anonymous, the answer was blunt: fear of retaliation from Delve.
That fear wasn't theoretical. DeepDelver described themselves as working at a former Delve client. They coordinated with other former customers who shared the same experience of being "underwhelmed" and sensing "something fishy." They had evidence. They had documentation. They had a story that the compliance industry needed to hear.
But they had no safe channel to tell it through.
Delve, the company being accused, had no visible anonymous reporting mechanism for clients or employees. The affected client organizations apparently didn't have reporting systems that could receive and act on this type of information either. So a group of people with legitimate compliance concerns did what whistleblowers have always done when institutions fail them: they went public.
Substack was the platform of last resort. It provided anonymity, a publishing mechanism, and an audience. It also meant the information went from zero to viral with no opportunity for controlled investigation or resolution.
DeepDelver was "baffled by the laziness, clumsiness and brazenness" of Delve's response, pointing out that the company's defense amounted to relabeling "pre-filled evidence" as "templates" and shifting blame to customers for using them as-is.
Allegations about operations in India, the absence of actual AI, and trust pages containing controls that were never implemented went unaddressed.
This is what happens when there's no internal path for concerns to surface. The information doesn't disappear. It finds another way out. And when it does, the organization loses control of the narrative entirely.
The Downstream Risk for Delve's 494 Clients
The immediate scandal is Delve's. The downstream risk sits with roughly 494 companies that relied on Delve's certifications to demonstrate compliance to their own customers, partners, and regulators.
If DeepDelver's allegations hold up, those companies may be holding audit reports that were never based on genuine independent assessment. Every customer, partner, and enterprise buyer who relied on those reports to make procurement decisions has reason to ask questions.
Companies handling protected health information may have been operating outside HIPAA requirements without knowing it. Companies claiming GDPR compliance based on Delve's certifications face potential regulatory scrutiny in European markets. Any company that published a Delve-generated trust page now has a public record of claims they may not be able to substantiate.
LiteLLM's response, dropping Delve and pursuing recertification with Vanta and an independent auditor, is likely a preview of what hundreds of companies will need to do. That process takes time and costs money.
None of this had to be public. If the concerns had surfaced through proper reporting channels first, at least some of these companies could have investigated and acted before a Substack post put them on the front page of TechCrunch.
What Most Organizations Have vs. What They Need
The Delve case illustrates a specific gap: when people inside or adjacent to an organization discover misconduct, they need a way to report it that is anonymous, protected, and connected to someone who can act on it. Most organizations don't have that. Here's what they have instead, and why it fails.
The problem: anonymity is promised but not guaranteed. DeepDelver went to Substack because they feared retaliation. Most "anonymous" reporting policies rely on trust, not technology. The reporter has to believe the organization won't trace the report back to them. When the stakes are high, belief isn't enough. Real anonymity needs to be built into the system at a technical level, through purpose-built whistleblowing software where the reporter can communicate, provide evidence, and receive updates without ever being identifiable.
The problem: reporting is a one-way drop. Most hotlines, email inboxes, and legacy speak-up channels collect reports. They don't create conversations. But investigations require follow-up questions. Reporters need to know their concerns are being taken seriously, not dropped into a void. Without a persistent, anonymous two-way channel, the organization gets a fragment of the story and the reporter assumes nothing happened.
The problem: reports go nowhere structured. This is where shared inboxes and HR email addresses break down. Reports come in with no structure, no categorization, and no connection to previous reports that might reveal a pattern. When a regulator asks how concerns are handled, the answer is "it depends on who received it and what they did with it." That's not a process. It's a gamble.
The problem: no audit trail. When regulators investigate (and in the Delve case they likely will), organizations need to demonstrate what they knew, when they knew it, and what they did about it. The difference between "we responded" and "we can prove we responded" is documentation, and most ad hoc reporting setups don't produce any.
The problem: the reporter isn't always an employee. The Delve whistleblower was a client, not an employee. Reporting systems that only cover internal staff miss a significant category of people who encounter misconduct: vendors, contractors, customers, and partners. The people closest to the problem are not always on the payroll.
The Wirecard Parallel
Pav Gill, Confide's co-founder, knows what DeepDelver went through because he lived a version of it at a much larger scale.
In 2017, Gill joined Wirecard as Head of Legal for Asia-Pacific. What he found was systematic fraud that would eventually total €24 billion. He tried to report it internally. The channels either didn't exist in any meaningful form or were controlled by the people committing the fraud. Gill became a whistleblower. Wirecard tried to destroy him: surveillance, threats, attempts to discredit him professionally.
The Wirecard collapse is now one of the largest corporate fraud cases in European history, the subject of books, documentaries, and criminal proceedings.
Gill co-founded Confide Platform because of a specific conviction: organizations need whistleblowing software and internal reporting infrastructure that works before someone is forced to go external. Not because external whistleblowing is wrong. It's protected, and often necessary. But when someone has to go to Substack, or the press, or regulators as a first resort, it means the organization's own defenses have already failed.
The Delve case fits the pattern. People with evidence of misconduct looked for a safe way to report it. They found none. They went public. Now 494 companies are managing the consequences.
What Boards and Compliance Teams Should Take from This
The Delve scandal will produce regulatory investigations, litigation, and a wave of recertification activity across hundreds of companies. Beyond the immediate fallout, there are structural lessons that apply to every organization.
Your compliance vendors are part of your risk surface. Delve's clients outsourced compliance and in doing so outsourced trust. When that trust turned out to be misplaced, the risk flowed straight back to them. Boards should treat compliance vendor relationships with the same scrutiny they apply to any critical third party. If your vendor can't withstand due diligence, neither can your compliance posture.
If people can't speak up internally, they will report externally. This pattern has repeated across every major corporate scandal: Enron, Wirecard, Boeing, now Delve. The question for every board is not whether misconduct will surface. It's whether your organization hears about it first or reads about it in TechCrunch.
Anonymous reporting protects the organization, not just the reporter. Some leaders still view whistleblowing channels with suspicion. The concern is usually frivolous complaints or undermined management authority. Look at the Delve case and ask: would those leaders rather have received an anonymous internal report six months ago, or would they prefer the Substack post and the TechCrunch coverage? Anonymous reporting channels don't create problems. They surface problems that already exist, early enough to do something about them.
The window between suspicion and publication is your only chance to act. DeepDelver and their collaborators investigated for roughly four months before publishing. During that entire window, an anonymous reporting channel could have captured any of those concerns and triggered a formal investigation and remediation. Nobody would have read about it in TechCrunch. Instead, the first signal was a fully documented, carefully sourced Substack post that left no room for quiet resolution. By the time organizations learned about it, the narrative was already set.
Compliance theater is worse than no compliance. Delve's clients thought they were compliant. They had reports. They had trust pages. They had audit letters. According to DeepDelver's allegations, all of it was built on fabricated evidence and rubber-stamp reviews. The appearance of compliance without the substance creates a false sense of security that makes organizations more vulnerable, not less. This is the compliance industry's version of "worse than useless": it's actively dangerous because it replaces the urgency to get compliant with the illusion that you already are.
The compliance industry exists to build trust. When that trust is manufactured rather than earned, the people who discover the gap will find a way to say so. The only question is whether your organization gives them a safe internal channel, or whether you find out when the rest of the world does.
Frequently Asked Questions
What did DeepDelver accuse Delve of doing?
DeepDelver alleged that Delve systematically fabricated compliance evidence for SOC 2, ISO 27001, HIPAA, and GDPR certifications. The accusations included pre-filled audit evidence presented as customer-generated, rubber-stamp auditor relationships, and trust pages listing security controls that were never implemented. Delve responded by characterizing its platform as providing "templates," not pre-filled evidence.
How many companies were affected by the Delve compliance scandal?
Approximately 494 companies relied on Delve's certifications. These organizations may now hold audit reports that were never based on genuine independent assessment. Companies handling protected health information, claiming GDPR compliance, or publishing Delve-generated trust pages face potential regulatory and contractual exposure.
Why did the Delve whistleblower publish on Substack instead of reporting internally?
DeepDelver cited fear of retaliation from Delve. Neither Delve nor the affected client organizations had a visible anonymous reporting channel for concerns of this nature. Without a safe internal path, the whistleblower used Substack as a platform of last resort, which meant the information went from zero to viral with no opportunity for controlled investigation.
What should companies do if they used Delve for compliance certifications?
Affected companies should assess which certifications were obtained through Delve, determine whether the underlying evidence was genuinely verified, and pursue recertification with an independent auditor if needed. LiteLLM's public response (dropping Delve and recertifying with Vanta and a third-party auditor) is a useful reference point for the process.
How do anonymous reporting channels prevent compliance scandals from going public?
Anonymous reporting channels give people with evidence of misconduct a safe internal path to raise concerns before they feel forced to go external. In the Delve case, roughly four months passed between the first leaked evidence and the Substack publication. During that window, a functioning anonymous reporting system could have captured the concerns, triggered a formal investigation, and given affected organizations the chance to act before TechCrunch was involved.
Confide Platform provides anonymous reporting, whistleblowing, and case management infrastructure for organizations that want to detect and address misconduct before it becomes a public crisis. Founded by Wirecard whistleblower Pav Gill and built by practitioners who've seen what breaks when reporting channels don't exist. [Learn more →]