Y Combinator startup Delve, a $32 million compliance automation company, is accused of forking its own customer’s open source tool and rebranding it as proprietary software without attribution or payment. Anonymous whistleblower “DeepDelver” alleges Delve took Sim.ai’s Apache 2.0-licensed SimStudio platform, rebranded it as “Pathways,” and pitched it to prospects claiming they built it themselves. The allegations broke April 1, 2026 via TechCrunch. The irony is staggering: a compliance company allegedly can’t comply with basic open source licensing.
This follows earlier March whistleblower claims that Delve fabricated compliance certifications. Both companies are Y Combinator alumni, amplifying the scandal in Silicon Valley’s startup ecosystem.
The Customer Betrayal: Victim Paid Perpetrator
Sim.ai wasn’t just any company—it was a paying customer of Delve’s compliance services. While Sim.ai paid Delve for compliance work, Delve allegedly took Sim.ai’s open source product SimStudio (15,000 GitHub stars, 100,000+ users), forked it without permission, and rebranded it as “Pathways.”
When DeepDelver, a prospect, asked if Pathways was based on SimStudio, Delve representatives said “we built it ourselves,” according to the whistleblower. Sim.ai CEO later confirmed to TechCrunch: “We knew they planned to use Sim for something and later tried unsuccessfully to sell them an agreement.” He also confirmed no license agreement ever existed between the companies.
Moreover, the customer/vendor relationship inversion makes this especially egregious. Delve had access to Sim.ai’s systems and data during compliance work—a position of trust that allegedly enabled IP theft. After the allegations broke, Delve scrubbed all Pathways references from their website.
The Apache 2.0 Violation: What Delve Should Have Done
Apache 2.0 is permissive—it allows commercial use, modification, and redistribution. However, it requires attribution. If Delve forked SimStudio as alleged, they were required to: (1) include the original copyright notice, (2) include Apache 2.0 license text, (3) include the NOTICE file with attribution, and (4) disclose any modifications.
Instead, they allegedly claimed “we built it ourselves” and pitched it as proprietary software. That’s not a gray area—it’s a clear violation of Apache 2.0 terms. Consequently, violations can terminate the license grant and trigger litigation.
Pattern of Misconduct: Escalating Allegations
The open source violation is the latest in a series of whistleblower claims. On March 18, DeepDelver first alleged Delve “fabricated evidence of board meetings, tests, and processes that never happened” and forced customers to “choose between adopting fake evidence or performing mostly manual work.”
Furthermore, these claims suggested hundreds of customers were falsely told they were HIPAA/GDPR compliant, potentially exposing them to criminal liability and hefty fines. Delve denied the allegations, calling itself an “automation platform” that ingests information while final compliance reports are “issued solely by independent, licensed auditors.”
The timeline reveals escalating trouble: March 18 (fake compliance allegations), March 23 (Insight Partners scrubs $32M investment announcement—then restores it but LinkedIn post stays down), March 30 (more whistleblower “receipts”), April 1 (open source violation). Additionally, VCs almost never delete investment announcements unless something is seriously wrong. Insight Partners’ scrubbing signals investor panic.
Y Combinator Fallout: Alumni Against Alumni
Both Delve (YC W24) and Sim.ai are Y Combinator alumni. YC companies frequently buy each other’s products and form partnerships—exactly what happened here when Sim.ai became a Delve customer. Therefore, the alleged betrayal of a fellow YC company raises questions about accelerator due diligence and ethical standards.
Delve was founded by 21-year-old MIT dropouts Karun Kaushik and Selin Kocalar, who raised $32M at a $300M valuation in July 2025. Both have impressive credentials—Selin published 8 papers by age 20 and led an experiment aboard the International Space Station. But credentials don’t guarantee ethics.
Community Reaction: Trending Outrage
The allegations “generated so much outcry on X that it became a trending topic, complete with a scathing community note,” according to TechCrunch. On Hacker News, the story “Delve allegedly forked an open-source tool and sold it as its own” trended April 2, sparking hundreds of comments debating open source licensing enforcement and startup ethics.
Notably, the developer community’s anger centers on three points: customer betrayal, the compliance company irony, and open source violations. For developers who build careers on open source principles, this hits close to home. In fact, Apache 2.0 relies on good faith compliance—violations undermine trust in the entire ecosystem.
Key Takeaways
- Compliance companies must themselves comply. Apache 2.0 is permissive but requires attribution—these aren’t optional requirements. Customer trust is everything in the compliance industry, and Delve’s alleged actions destroy that foundation.
- The Y Combinator ecosystem faces a reputation challenge. When portfolio companies allegedly violate basic business ethics against fellow YC alumni, it raises questions about accelerator vetting and accountability.
- Open source community policing works. A whistleblower caught this violation, tech publications covered it, and the community amplified it. That’s how the ecosystem self-regulates—but only when people speak up.
