Last fall, George Kurtz, the chief executive officer of CrowdStrike Holdings Inc., gave investors a quarterly financial update that sent shares soaring. Among the details Kurtz highlighted was a major deal to sell cybersecurity tools for use by the U.S. government.

“Identity threat protection wins in the quarter included an eight-figure total deal value win in the federal government,” Kurtz said on the earnings call after markets closed on Nov. 28, 2023.

Kurtz was referring to a $32 million order from Carahsoft Technology Corp., which serves as a middleman between technology companies and government agencies, that arrived on the last day of CrowdStrike’s fiscal third quarter. It was for identity threat protection software intended for the Internal Revenue Service, according to documents from both companies.

But the IRS never bought the software, according to records reviewed by Bloomberg News and people with knowledge of the situation.

Still, Carahsoft has been making on-time payments on the $32 million to CrowdStrike, according to the cybersecurity firm. When asked for comment by Bloomberg News, both companies explained that they had a “non-cancellable order” between them. They declined to say why that deal was struck without a purchase in place from the IRS. 

Some legal and accounting experts, who reviewed the arrangement at Bloomberg’s request, said it raises red flags that merit scrutiny from regulators. The deal also raised concerns within CrowdStrike — according to people familiar with the matter and the company itself — and many specifics of the transaction remain unclear.

Benjamin Fanjoy/Bloomberg

Depending on how CrowdStrike accounted for the deal in financial statements — the company didn’t explain those details — it was big enough that it could have made the difference between the company beating or missing Wall Street projections for the period. The day after CrowdStrike reported results for the record quarter, its shares rose 10%.

Jeremy Fielding, a spokesperson representing CrowdStrike, dismissed employees’ concerns as baseless and the order’s timing as insignificant. The Austin, Texas-based cybersecurity firm closes deals “throughout the quarter, starting the first day and often through the last day,” he said. 

“The Carahsoft deal went through a separate and extensive review,” he said, adding that it “was given a clean bill of health.” Fielding characterized the experts’ comments as “inaccurately speculating about a transaction that CrowdStrike confirmed fully met” an accounting standard on revenue from contracts. 

CrowdStrike “closed and recognized” the deal once Carahsoft placed the order, and its booking of the revenue is consistent with standard accounting principles, according to Thomas Clare and Elizabeth Locke, lawyers representing the cybersecurity company.

A representative of Carahsoft, Mary Lange, said in an email, “Carahsoft is a private company and we do not disclose financial information or customer details. That said, we placed a valid, non-cancellable order with CrowdStrike and stand by that transaction.” The company declined to answer any other questions.

The IRS didn’t answer detailed questions. The tax agency said in a statement that it doesn’t hold any contracts with CrowdStrike directly and, in keeping with federal procurement rules, acquires its software and services through third-party vendors.

No IRS contract or payments matching the deal appear in the public government spending database USASPENDING.gov. The database excludes some information — for instance, material that could compromise national security. But the tax agency’s purchases of CrowdStrike’s products through vendors total less than $10 million, according to a person familiar with the matter.

This story is based on records of the transaction and interviews with five people familiar with the matter, who requested that their names not be published because they aren’t authorized to discuss it.

“It raises an eyebrow,” said Lawrence Cunningham, director of the University of Delaware’s John L. Weinberg Center for Corporate Governance.

“It appears on its face to be uncompensated risk, and rational businesses don’t usually accept uncompensated risk,” Cunningham said, referring to Carahsoft’s payments to CrowdStrike.

Carahsoft declined to answer questions about whether it was taking a loss on the deal or if it found a way to recoup the money.

In recent months, separate issues at CrowdStrike and Carahsoft have drawn negative attention and government scrutiny.

CrowdStrike, with annual revenues of more than $3 billion, sells security software to thousands of businesses and government agencies globally. But in July, a flawed update from the firm knocked out millions of Windows computers around the world, disrupting air travel, medical care, banks and other businesses. Executives have apologized repeatedly, including before members of Congress; the company’s share price plummeted after the outage and hasn’t fully recovered.

Carahsoft is a dominant player among resellers and distributors that help technology companies navigate the complexities of selling to government agencies. In September, agents from the FBI and the Department of Defense searched the company’s Reston, Virginia, headquarters. Lange, the Carahsoft spokesperson, previously said the company was cooperating with the FBI probe and that it involved “an investigation into a company with which Carahsoft has done business in the past.” 

The Justice Department is also conducting a civil probe of Carahsoft and software giant SAP SE for potential price fixing on government contracts. The German firm is cooperating with the civil probe, a spokesperson said. SAP chief financial officer Dominik Asam told Bloomberg News that SAP had “gotten written assurance from Carahsoft” that the FBI search was “entirely unrelated” to SAP and a U.S. subsidiary.

There’s no known link between CrowdStrike and either the civil investigation or search of Carahsoft’s office. Fielding, the CrowdStrike representative, said neither investigation is connected to the cybersecurity company.

A potential deal for the IRS dates to early 2023, when CrowdStrike sales representatives began talking with agency officials about buying an identity verification tool to help prevent fraud in a new program that lets people file their taxes directly with the government, according to three people familiar with the matter.

Work continued on a potential deal in the following months, but by mid-October it had become clear to at least some CrowdStrike staff that the IRS wouldn’t order the software before the company’s quarter closed at the end of the month, the people said.

Nevertheless, on Halloween, Carahsoft ordered $32.25 million worth of subscription access to CrowdStrike’s “Government National Identity Threat Protection” service for as many as 40 million users, according to records and two of the people. The order split the purchase into four $8 million payments, with the final payment due at the end of this October. The order indicates that Carahsoft should be billed for the CrowdStrike software and that it should be shipped to the IRS’s Washington headquarters.

That day, CrowdStrike sent an automated email to dozens of staff, saying, “Opportunity has been Closed Won for Internal Revenue Service (IRS).”

The closing of the deal and Kurtz referring to it on the earnings call alarmed some staff who raised internal concerns that CrowdStrike was “pre-booking” a transaction that they viewed as incomplete because it was unclear whether the IRS would ever make the large purchase, according to three of the people. U.S. regulators have in some cases sued and fined companies over alleged pre-booking, also known as channel stuffing, claiming they misled investors by improperly recognizing revenue to inflate their financial figures.

Fielding said it was “demonstrably false” that there was any pre-booking.

That quarter, $32 million was enough to make the difference between CrowdStrike beating analysts’ expectations on two key financial metrics — annual recurring revenue and net new annual recurring revenue — or falling short of them. CrowdStrike highlighted both metrics in the earnings announcement for the quarter, but the company declined to answer questions about whether the deal was recorded under them.

Annual recurring revenue is widely used by software companies to track income from subscriptions. CrowdStrike has consistently emphasized it with investors, writing in a 2019 regulatory filing that it “is a key metric to measure our business.”

Theresa Gabaldon, a professor at the George Washington University Law School, said that for CrowdStrike to appropriately book the deal as revenue it would need to have not only received payment but also delivered the product. Neither CrowdStrike nor Carahsoft answered questions about what became of the subscription software.

“I characterize it as raising red flags,” Gabaldon, who teaches securities regulation, law and accounting, said of the deal.

Whatever happened, Carahsoft was among the companies that CrowdStrike feted at a June “partner symposium.” There, Kurtz and other CrowdStrike staff mingled with guests at a luxury resort on the southern California coast. A video shows attendees enjoying drinks and live string music on a bluff overlooking the Pacific Ocean and getting sushi-making lessons from a celebrity chef.

At the event, CrowdStrike named Carahsoft “Distributor of the Year.”