Six months ago, Mercor stood atop the tech world—a fresh $350 million Series C, a jaw-dropping $10 billion valuation, and the kind of buzz most startups can only imagine. The company, celebrated for powering the invisible engines of AI through sophisticated data training, seemed unstoppable. Then, at the end of March, the walls began to shake. Mercor admitted publicly: it had suffered a data breach.
The reality behind that admission proved more gutting by the hour. Soon after, a hacker collective came forward, claiming to possess four terabytes of Mercor’s internal data. Not just anonymous files—sensitive candidate profiles, personal identifiers, employer records, raw source code, even API keys. In the data-centric economy Mercor inhabited, this wasn’t just a leak. It was a rupture with potential consequences echoing across its contracts and reputation.
In response, Mercor stayed mostly silent. Official statements were careful and noncommittal, repeating their commitment to investigate and “communicate with customers and contractors directly as appropriate.” No confirmation or denial of what had actually been stolen. Just a promise—vague and brittle—to devote resources to solving the problem fast.
The breach, it turned out, had its origins in a tool almost every AI company relies on. LiteLLM, an open-source platform trusted and downloaded millions of times daily, was briefly compromised. For forty minutes, credential-harvesting malware slipped inside the tool, stealthily lifting login information. Those credentials opened the doors to even more accounts, where further data and keys were siphoned away. Like dominoes, one breach triggered the next.
The true cost of what the hackers seized is still unclear—the scale and sensitivity remain shrouded by legal caution and active investigation. But the impact came quickly. Meta, one of Mercor’s largest clients, quietly froze its contracts, according to sources who spoke with Wired. Mercor itself refused to discuss Meta’s move, dodging specifics.
Mercor, like its rivals, traffics in some of the most precious secrets in artificial intelligence: proprietary data sets and the intricate processes behind model training. These are the closely guarded formulas that make or break an AI’s advantage. They’re so crucial that even after Meta poured over $14 billion into Scale AI, Mercor’s top competitor, the social media giant still kept Mercor on call—at least, until the breach changed everything.
Nestled somewhere between bad news and hope, there was a small glimmer for Mercor. OpenAI, another essential partner, confirmed to Wired that it was assessing its exposure but hadn’t severed ties or paused contracts. Even so, TechCrunch heard rumblings—unconfirmed but persistent—that other leading AI firms were reevaluating their relationships with Mercor, though nobody was ready to go on record.
Meanwhile, the legal blowback started to gather force. Five of Mercor’s contractors have filed lawsuits, alleging harm from the breach of their personal data. Whether these lawsuits are genuine threats or simply opportunistic attempts is too early to tell. Mercor, predictably, declined public comment.
One suit, examined by TechCrunch, stretches the circle of blame wider. Not only Mercor, but also LiteLLM and a compliance firm called Delve, ended up as named defendants. The connection? LiteLLM relied on Delve to secure its security certifications. Now, Delve faces accusations—from an anonymous whistleblower—of fabricating compliance data and employing auditors who functioned in name only.
Of course, a security certificate was never a guarantee against intrusion. Its real function is to signal that a company has the framework in place to manage risk. Now, Delve is scrambling to defend itself. It officially denied the allegations but has already switched up its internal processes. The scandal became so toxic that Y Combinator backed away entirely.
LiteLLM, for its part, quickly abandoned Delve, seeking fresh certifications elsewhere and publishing a full incident report to stem the reputational bleeding. Mercor, interestingly, confirmed to TechCrunch it had never been a direct client of Delve, though the web of connections still pulled it into the controversy.
The financial stakes are considerable. According to an anonymous source speaking to The Information, Mercor was on pace for more than $1 billion in annualized revenue before the bad news broke. Now, with contracts in limbo and trust under siege, that future hangs, for now, in uncertainty.
