VYPR
researchPublished Jul 8, 2026· 1 source

Offensive Cybersecurity Startup IRIS C2 Linked to Convicted Felons Jack Burkman and Jacob Wohl

A new offensive cybersecurity startup, IRIS C2, which claims to acquire zero-day exploits for millions, is reportedly run by convicted felons Jack Burkman and Jacob Wohl, known for past disinformation campaigns.

A cybersecurity startup named IRIS C2, which has been actively recruiting vulnerability researchers with promises of million-dollar payouts for zero-day exploits, is reportedly operated by Jack Burkman and Jacob Wohl. These individuals have a documented history of running fake intelligence ventures and engaging in disinformation campaigns.

IRIS C2, operating under the guise of Calvexa Group LLC, claims to be based in McLean, Virginia, and actively seeks "zero-day exploits, individual primitives, partial chains, and full capabilities across all major platforms." Their recruitment efforts, primarily through their X/Twitter account @C2IRIS and website irisc2[.]com, target junior engineers with high intelligence, emphasizing raw talent over formal experience. Payouts advertised range from $10,000 to $7 million, depending on the exploit's value and reliability.

Further investigation reveals that the incorporation records for Calvexa Group LLC list an address occupied by Jack Burkman, a 60-year-old founder of the lobbying firm Burkman & Associates. When questioned about IRIS C2, Burkman deferred inquiries to his associate, Jacob Wohl, 28. Wohl, however, stated that Burkman is not involved in the daily operations of IRIS C2, though he acknowledged their shared history.

Burkman and Wohl are notorious for their past activities, including the creation of fabricated intelligence companies used to spread false claims and frame public figures. They have faced legal repercussions for orchestrating robocall schemes to suppress votes, leading to indictments and felony convictions for telecommunications fraud. In separate legal actions, they were also found to have violated civil rights laws and were fined millions by the FCC for their robocall campaigns.

Wohl himself has a history of financial impropriety, having been charged with securities fraud and pleading guilty to selling unregistered securities. Despite his lack of formal computer science education, Wohl claims IRIS C2 initially focused on penetration testing before shifting to selling "phone-hacking services" to the government, though he declined to provide specifics on any federal contracts.

The cybersecurity market for vulnerabilities is known to attract a diverse range of individuals, but IRIS C2's overt and brazen approach to recruiting and advertising its services stands out. While many government contractors discreetly acquire exploits, IRIS C2's public-facing recruitment and claims of acquiring high-value zero-days by individuals with a history of fraudulent activities raise significant red flags.

KrebsOnSecurity became aware of IRIS C2 after an attendee at a cybersecurity conference reported that Wohl and Calvexa Group were soliciting vulnerability research from attendees. The company's aggressive outreach and the backgrounds of its alleged operators suggest a potential for misuse of acquired exploits or a continuation of their pattern of deceptive business practices within the sensitive offensive cybersecurity sector.

Synthesized by Vypr AI