IRIS C2, an offensive cybersecurity startup based in McLean, Virginia, is currently soliciting zero-day exploits with payouts up to $7 million. The venture is operated by Jacob Wohl and Jack Burkman, convicted felons and conspiracy theorists with a history of fabricating intelligence operations and committing telecommunications fraud.
This isn’t your standard boutique security firm. It’s a high-stakes gamble on the “grey market” of vulnerability research, where the line between a legitimate contractor and a digital mercenary is razor-thin. For the security community, the red flag isn’t just the founders’ rap sheets—it’s the brazenness of the recruitment. IRIS C2 is shouting from the rooftops of X (formerly Twitter) and LinkedIn, targeting “junior engineers with raw talent” regardless of their formal education.
The Mechanics of the Zero-Day Hustle
To understand why IRIS C2 is dangling millions, you have to understand the “exploit chain.” A zero-day is a vulnerability unknown to the vendor. But a single bug is rarely enough to compromise a modern device. Attackers need a chain of “primitives”—small, exploitable flaws that, when sequenced, allow for remote code execution (RCE) or privilege escalation.

Jacob Wohl admits he has no formal degree in computer science. Yet, he claims a mastery of the technical process, specifically the stabilization of these primitives. In an interview with KrebsOnSecurity, Wohl explained that researchers often bring in raw findings—like a flaw in a phone’s media decoder—which his team then polishes into a reliable, weaponized exploit. This process is the difference between a crash (a Denial of Service) and a silent takeover of a target’s device.
The target? Phone-hacking services for the government. Wohl claims the company employs roughly 40 people, though he mandates a strict “no LinkedIn” policy for staff to maintain operational security. It’s a convenient cloak for a company whose leadership has a penchant for aliases.
A Pattern of Fabricated Intelligence
The “offensive security” pivot is a logical evolution for Burkman and Wohl. Their career trajectory has always been about the monetization of misinformation and the simulation of authority.

- The Fake Intel Era: The duo previously created sham intelligence companies to frame public figures, including fabricated claims against former FBI Director Robert Mueller and Pete Buttigieg.
- The Robocall Scheme: In the wake of the 2020 election, they were prosecuted across multiple states for disseminating false claims about mail-in ballots. This resulted in a $5.1 million fine from the FCC.
- LobbyMatic: More recently, they operated an AI-based lobbying platform under the pseudonyms “Jay Klein” and “Bill Sanders,” according to Politico. Employees only discovered the founders’ true identities after leaving the firm.
They are convicted felons. Wohl pleaded guilty to selling unregistered securities in California in 2019. Both pleaded guilty to telecommunications fraud in Ohio in 2022. Following legal proceedings, their legal battles have transitioned to probation, leaving them free to pivot into the world of cyber-arms dealing.
The Calvexa Group Shell Game
The corporate architecture of IRIS C2 is a classic shell game. The website irisc2.com is operated by Calvexa Group LLC. While Calvexa is registered as a federal contractor on g2exchange.com, it does not appear to be working on any direct government contracts. When pressed on the specifics of their federal work, Wohl claimed he was “not at liberty” to discuss them.
This lack of transparency is a hallmark of firms in this market. In the real world of CVE (Common Vulnerabilities and Exposures) tracking and government procurement, legitimacy is proven through past performance and vetted security clearances—not via a pinned post on X targeting high-IQ teenagers.
The risk here extends beyond the founders’ ethics. By recruiting inexperienced “junior engineers” into an environment run by fraudsters, IRIS C2 is essentially building a pipeline of talent for a company that views the law as a suggestion. The most recent evidence of this opportunistic streak appeared in reports that they accepted a $300,000 retainer from a Canadian cryptocurrency fraudster to lobby for a presidential pardon.
The Verdict for the Security Ecosystem
For the average developer or enterprise IT manager, IRIS C2 is a cautionary tale about the “democratization” of offensive security. The market for zero-days is inherently volatile, but the entry of actors who specialize in fraud introduces a new layer of systemic risk.
.jpg)
If a company lacks a transparent leadership structure and relies on pseudonyms to hire staff, the “million-dollar payout” for an exploit is likely a lure rather than a legitimate business transaction. In the world of IEEE standards and rigorous peer-reviewed security, the “Wohl of Wall Street” approach is not innovation—it’s a grift with a technical veneer.
The takeaway is simple: if the “security” firm you’re dealing with has a history of FCC fines and felony fraud, your code isn’t the only thing at risk. Your reputation is, too.