CyberSecurity

A Cybersecurity Startup Promising Millions for Zero-Day Exploits Is Run by Convicted Felons

Published

on

The Pitch: Million-Dollar Bounties for Hacker Talent

An aggressive new player has entered the high-stakes world of zero-day acquisitions. IRIS C2, a self-described cybersecurity firm based in McLean, Virginia, is publicly dangling payouts of up to $7 million for previously unknown software vulnerabilities. Its X/Twitter account, launched in January 2025, has already amassed over 4,000 followers by posting about exploits, AI, and security bugs. The company’s website claims it buys “zero-day exploits, individual primitives, partial chains, and full capabilities across all major platforms.”

But the pitch is not what it seems. A deeper look reveals that the people behind IRIS C2 are not your typical security researchers. They are Jack Burkman, 60, and Jacob Wohl, 28 — a duo with a long rap sheet of fraud, felony convictions, and fabricated conspiracy theories.

The Men Behind the Curtain: Burkman and Wohl

Burkman and Wohl have spent years building a reputation for deception. In 2019, they held press conferences falsely accusing then-presidential candidates Elizabeth Warren and Kamala Harris of extramarital affairs. They fabricated sexual assault claims against former FBI Director Robert Mueller and Pete Buttigieg. Their specialty? Creating fake intelligence companies to spread disinformation.

After the 2020 election, the pair orchestrated a massive robocall campaign targeting Black voters in battleground states with false claims about mail-in ballots. They were indicted in Cleveland on 15 felony counts of voter suppression. In late 2025, after exhausting appeals, they were sentenced to probation. Earlier, in 2022, both pleaded guilty to telecommunications fraud in Ohio. In March 2023, a New York civil court ordered them to pay a $1 million settlement for violating federal and state civil rights laws. The FCC followed with a $5.1 million fine — the largest ever under the Telephone Consumer Protection Act.

Wohl’s history of financial crimes goes back even further. At 17, he started multiple investment firms and earned the nickname “Wohl of Wall Street” after appearing on Fox News in 2015. In 2017, the Arizona Corporation Commission charged him with 14 counts of securities fraud. In 2019, he pleaded guilty in California to four felony counts of selling unregistered securities.

How IRIS C2 Connects to the Duo

The IRIS C2 website is registered to Calvexa Group LLC, a Virginia-based federal contractor. The contact page on Calvexa Group’s site redirects visitors to IRIS C2’s domain. Incorporation records list an Arlington, Virginia address — which turns out to be the office of Burkman’s lobbying firm, Burkman & Associates.

When approached by KrebsOnSecurity, Burkman referred questions to Wohl. Wohl admitted that Burkman is not involved in day-to-day operations but confirmed his own role. He claimed IRIS C2 started as a penetration testing company before pivoting to selling phone-hacking services to the government. He said the firm has about 40 employees, though none are allowed to list their jobs on LinkedIn for “operational security reasons.”

A History of Pseudonyms and Shell Companies

This is not the first time Burkman and Wohl have hidden behind fake identities. In September 2024, Politico reported that the pair ran a now-defunct AI lobbying platform called LobbyMatic under the assumed names “Jay Klein” (Wohl) and “Bill Sanders” (Burkman). Two employees quit after learning their bosses’ real identities. Others only found out after leaving the company.

The Oddity of an Open Zero-Day Market

The market for zero-day exploits has always attracted a motley crew: academics, hobbyists, criminals, and legitimate government contractors. But most firms that sell offensive capabilities to the U.S. government operate with discretion. IRIS C2 is an exception. Its public bravado — posting about million-dollar payouts and recruiting “junior engineers with raw talent/extremely high IQ” — is unusual in a field that prizes anonymity.

Wohl, who has no formal training in computer science, told KrebsOnSecurity: “I know more about tech than anyone. My background has always been extremely technical.” He claimed researchers bring him “spectacularly exquisite capabilities that would make your head spin.” But when pressed on federal contracts, he clammed up, citing national security.

What This Means for the Cybersecurity Community

For vulnerability researchers, the warning is clear: not every buyer is who they claim to be. A company offering life-changing money for exploits might be run by convicted felons with a history of fraud. The offensive cybersecurity startup IRIS C2 may have legitimate aspirations, but its founders’ track record raises serious red flags.

Researchers considering selling their work should vet buyers thoroughly. Check incorporation records. Search for legal judgments. Ask for references. The zero-day market is lucrative, but it’s also a playground for fraudsters. Burkman and Wohl have proven they can reinvent themselves — but their past keeps catching up.

As one conference attendee told KrebsOnSecurity, Wohl and Calvexa Group were aggressively soliciting vulnerability researchers at a recent cybersecurity event. The message was simple: they wanted to buy exploits. The subtext, now clear, is that the sellers should have asked more questions.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version