// 2 ZERO-DAY · 3 CVE · 4 EXPLOIT · 1 ADVISORY IN THE LAST 24H
IRIS C2, a McLean, Virginia startup offering up to $7 million for zero-day vulnerabilities, is operated by Jacob Wohl and Jack Burkman — convicted fraudsters with a history of political disinformation, record FCC robocall fines, and fake intelligence firms. A KrebsOnSecurity investigation published July 8, 2026, exposes how the pair are leveraging the zero-day market's structural secrecy to rebuild legitimacy.

IRIS C2, a startup based in McLean, Virginia, that offers up to $7 million for zero-day vulnerabilities and exploit capabilities, is operated by Jacob Wohl and Jack Burkman. The pair have criminal convictions for telecommunications fraud, a record $5.1 million FCC fine for robocall campaigns, and a documented history of fake companies and pseudonyms. The KrebsOnSecurity investigation, published July 8, 2026, reveals how two operators known for political disinformation and financial fraud are rebuilding legitimacy in the offensive cybersecurity market through the sector's structural secrecy.

The case raises immediate questions about the quality of due diligence in the government zero-day market, where lack of transparency is standard operating procedure and the use of false identities is an established practice. The source does not verify active federal contracts or the company's actual technical capability.

Key Takeaways
  • IRIS C2 is registered as Calvexa Group LLC in McLean, Virginia, with an address linked to Jack Burkman, 60, and Jacob Wohl, 28, as operational contact
  • The site irisc2[.]com offers payouts from $10,000 to $7,000,000 for zero-days, exploit primitives, partial chains, and full capabilities
  • Wohl and Burkman pleaded guilty in 2022 to telecommunications fraud in Ohio, paid a $1 million civil settlement in New York in 2023, and incurred a record $5.1 million FCC fine for election robocalls
  • Wohl stated he has no formal education in computer science or information security, and that IRIS C2 employs roughly 40 people who are barred from mentioning their employment on LinkedIn for operational security

Corporate Structure and Million-Dollar Exploit Offers

IRIS C2 operates through Calvexa Group LLC, an entity registered as a federal contractor on the G2Exchange platform but with no visible active direct government contracts. The registration address is occupied by Jack Burkman, founder of the lobbying firm Burkman & Associates. Jacob Wohl, the company's operational contact, told KrebsOnSecurity that Burkman is not involved in day-to-day operations.

The business model, as described by the site and Wohl's statements, involves acquiring raw vulnerabilities from junior researchers with technical talent despite the absence of academic credentials or industry experience. A pinned post on the X account @C2IRIS states: "Our business model is this: Attract the very best vulnerability researchers and exploit developers in the world to join our company. This mostly revolves around junior engineers with raw talent/extremely high IQ. We don't care if they have a college degree/industry experience."

Wohl explained the technical refinement process to KrebsOnSecurity: "Let's say someone finds a flaw in a media decoder on a phone. A lot of times what we receive is an exploit primitive, where the idea is there but the [execution] needs work. You need that exploit to be stable and reliable, and that's what we do." That statement, however, is not independently verifiable: no public technical evidence of stable exploits produced by IRIS C2 exists.

Founders' Criminal Record: Fraud, Robocalls, and Fake Intelligence

Wohl and Burkman's background is documented by criminal judgments, administrative fines, and cross-referenced journalism. In 2017, the Arizona Corporation Commission ordered Wohl, then 17, to pay $35,000 in restitution for securities fraud. In 2022, both pleaded guilty to telecommunications fraud in Cleveland on 15 counts for a robocall scheme aimed at suppressing the Black vote in Detroit.

In 2023, a record $5.1 million FCC fine for TCPA violations sanctioned the election robocall campaigns. That same year, a $1 million civil settlement in New York resolved civil rights violations. Wohl and Burkman also have a consolidated history of creating fake intelligence firms: "Surefire Intelligence," founded by Wohl, spread false allegations against Robert Mueller, Pete Buttigieg, Elizabeth Warren, and Kamala Harris.

In September 2024, Politico revealed the pair operated LobbyMatic, an AI-based lobbying platform, under the pseudonyms "Jay Klein" (Wohl) and "Bill Sanders" (Burkman). Employees resigned en masse after discovering their real identities. The pattern of operating under false names and front companies now repeats at IRIS C2.

"I do not have any formal education or training in computer science or information security, and that most of my knowledge on the matter is self-taught." — Jacob Wohl, interview with KrebsOnSecurity, 2026

Pivot from Penetration Testing to "Government Phone-Hacking"

Wohl stated that IRIS C2 recently shifted from penetration testing to "phone-hacking services to the government." The source does not specify which government agencies would be involved nor provide contract documentation. Wohl declined details on alleged federal agreements during the interview.

The claim about the business model's evolution introduces another unverified area. The shift from penetration testing — a legal, regulated activity — to "phone-hacking" services implies mobile exploit capabilities and potential law enforcement or intelligence use. The source documents neither the existence of such technical capabilities nor their actual sale to government entities.

At the same time, Wohl made statements at odds with his lack of formal technical credentials: "I know more about tech than anyone. My background has always been extremely technical, and I've always been deeply into tech. People know me as someone who is able to create spectacularly exquisite capabilities that would make your head spin." The source does not verify these assertions.

Why This Matters

The dossier does not document specific remedial measures or operational actions for engaging with IRIS C2. The source does not specify the nature of any exposed data nor provide technical indications of exploits actually in the startup's possession. The only verifiable elements are public records: corporate filings, criminal judgments, FCC fines, and Politico's reporting on LobbyMatic.

The IRIS C2 case illustrates a systemic mechanism rather than an isolated incident. The government zero-day market operates inherently in secrecy: the identities of sellers, brokers, and often buyers are protected. This structural opacity, combined with million-dollar payouts, creates conditions where operators with criminal backgrounds can rebuild legitimacy without effective scrutiny. Calvexa Group LLC is registered as a federal contractor, but registration does not imply verification of beneficial owners' backgrounds.

The source does not verify the actual existence of the roughly 40 employees claimed by Wohl, nor their awareness of the founders' criminal backgrounds. The prohibition on mentioning employment on LinkedIn, justified as operational security, makes independent verification of the organization's true size impossible.

No infrastructure overlaps emerge linking IRIS C2 to the NVD vulnerabilities cited in the dossier context (CVE-2025-53770, CVE-2026-3910, CVE-2026-45659) at this time. Those CVEs provide technical context on the type of vulnerabilities that interest the zero-day market — SharePoint RCE, Chrome V8 flaw — but no documented link to IRIS C2 activity.

Frequently Asked Questions

Does IRIS C2 actually have government contracts?

The source does not verify this. Wohl claims a transition to "phone-hacking services to the government" but refuses specific details. Calvexa Group LLC is registered as a federal contractor with no visible active direct contracts.

Are employees aware of the founders' criminal backgrounds?

The dossier does not specify. Wohl states roughly 40 employees cannot mention their employment on LinkedIn for operational security; no independent verification of their identities or awareness is available.

Are Wohl and Burkman currently incarcerated or wanted?

No. The convictions reported in the dossier resulted in probation, fines, and civil settlements. No active incarceration or outstanding arrest warrants are reported.

Sources

Information is based on the cited source and current as of publication.

Sources


Sources and references
  1. krebsonsecurity.com
  2. nvd.nist.gov