Cyber Security

Felons, Fraudsters Hit Offensive Cybersecurity Startups – Krebs in Security

A cybersecurity startup that dangles millions of dollars to find security vulnerabilities in popular software is run by far-right conspiracy theorists and criminals whose latest ventures include fake intelligence companies and a defunct AI-based recruiting platform that they now operate under assumed names.

X/Twitter account IRIS C2 (@C2IRIS) has gained over 4,000 followers since its creation in January 2025, regularly posting about security vulnerabilities, AI and software exploits. IRIS C2 is a McLean, Va.-based company. which sells offensive cybersecurity capabilities.

The IRIS C2 website offers an opportunity to pay a million dollars for exploitation to attract talent.

“Our business model is this,” reads a post pinned to the top of the IRIS C2 account on X. “Attract the best potential risk researchers and exploit engineers around the world to join our company. This is focused on young engineers with raw talent/very high IQ. We don’t care if they have a college degree/industry background.”

Website linked to that profile – irisc2[.]com – says that the company is hiring for many open positions, and a recent post on its LinkedIn page is excited about the large number of applications from potential employees. The website states that IRIS C2 is in the business of acquiring “zero-day equipment, rare original equipment, partial chains, and full power for all major platforms. Fees range from $10,000 to $7 million depending on the target, reliability, and cost of operation.”

Government contracting portal g2exchange.com reports that irisc2[.]com is run by a Virginia-based business called Calvexa Group LLC. “Contact” link on the Calvexa Group website – calvexagroup[.]com – forwards visitors to irisc2[.]com. G2Exchange indicates that although Calvexa Group LLC is registered as a government contractor, it does not appear to be working on any direct government contracts.

Searching for an Arlington, Va. address. listed in the records of Calvexa Group LLC finds that the property is occupied Jack Burkmanthe 60-year-old founder and managing partner of a recruiting firm Burkman & Associates. When asked about the IRIS C2, Burkman referred some questions to his longtime friend, the 28-year-old. Jacob Wohl.

Jack Burkman (left) and Jacob Wohl, at a press conference in August 2020. Image: Wikipedia.

Burkman and Wohl have a remarkable history of creating fake intelligence companies and using them to spread false claims about public exposure, including false sexual harassment claims against the then-FBI director. Robert Muelleragain Pete Buttigiegthen mayor of South Bend, Indiana and Democratic presidential candidate. In 2019, Burkman and Wohl held press conferences and lied about their extramarital affair. Sen. Elizabeth Warren (D-Mass.) then 2020 president Kamala Harris.

After the 2020 presidential election, Wohl and Burkman were prosecuted by several US states for making thousands of robocalls to residents of battleground states and spreading false claims about mail-in ballots. They were indicted in Cleveland on 15 counts of creating a black-calling system in Detroit, and were sentenced to stand trial in late 2025 after their motions to dismiss the charges were dismissed.

In 2022, Wohl and Burkman both pleaded guilty to one count of wire fraud in Ohio, and were sentenced to fines, probation, and community service. In March 2023, a judge in a New York civil suit ruled that Wohl and Burkman violated federal and state civil rights laws, and both agreed to pay $1 million in damages.

In June 2023, the Federal Communications Commission (FCC) imposed a $5.1 million fine against Wohl and Burkman for their robocall campaigns, at the time the largest fine ever sought by the FCC under the Telephone Consumer Protection Act.

Jacob “Jay” Wohl’s GitHub account.

By age 17, Wohl had started several investment firms, and developed the nickname “Wohl of Wall Street” after appearing on Fox News in 2015 to discuss his new hedge funds. In 2017, the Arizona Corporation Commission charged Wohl and his investment funds with 14 counts of securities fraud, and ordered him to pay $35,000 in restitution. In 2019, Wohl pleaded guilty to four counts in California of selling unregistered securities and was sentenced to two years of probation.

The market for unknown security vulnerabilities has previously been populated by a colorful mix of researchers, academics, charlatans, clout-chasers and people actively involved in cybercrime communities. But the market for selling offensive security services to the US government tends to be more scrutinized. Dozens of government contractors recruit vulnerable researchers and pay for exclusive rights to exploit new software, yet none do so as brazenly and openly as IRIS C2.

The latest post from the Twitter/X account IRISC2 (@c2iris).

Indeed, KrebsOnSecurity didn’t know about IRIS C2 until last month, when an attendee at a regional cybersecurity conference shared that Wohl and Calvexa Group were harassing people at the conference about selling their vulnerability research.

In an interview with KrebsOnSecurity, Wohl said that Mr. Burkman was not involved in the day-to-day operations of IRIS C2. Wohl shared that IRIS C2 originally started as a penetration testing company, but changed its focus recently to selling phone hacking services to the government. Several times throughout the interview, Mr. Wohl talked about working on federal government contracts, but when pressed to elaborate he said he was not at liberty to speak publicly about them.

Mr. Wohl said he has no formal education or training in computer science or information security, and that most of his knowledge on the matter is self-taught.

“I know more about technology than anyone,” Wohl boasted. “My background has always been very technical, and I’ve always been deep in technology. People know me as someone who can do amazingly cool skills that will make your head spin.”

Wohl said that security researchers bring unique vulnerability findings to the company “all the time,” but that in many cases those findings are preliminary and not entirely complete.

“Let’s say someone finds a bug in the media player on the phone,” says Wohl. “A lot of times what we get is old-fashioned exploitation, where the idea is there [execution] you need a job. You need that leverage to be stable and reliable, and that’s what we do.”

Wohl says IRIS C2 has about 40 employees, although he said none of them are allowed to list their work on LinkedIn for security reasons. In May, the author of the IRIS C2 account on X said that his girlfriend did not know what she did for a living. But if IRIS C2 has any other employees, it’s equally possible that they don’t know Mr Wohl’s exact naming history – or even his real name.

In September 2024, Politics reported that Burkman and Wohl were bragging about major companies allegedly buying services from their defunct company. LobbyMaticwhich said it uses artificial intelligence to aid in political lobbying efforts. However, Politico found that the two were operating the company under false names, with Wohl reportedly using the name “Jay Klein” and Burkman using the name “Bill Sanders.” Politico reported that two of the former LobbyMatic employees resigned after learning their true identities, while other employees found out after leaving the company.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button