Dateline: July 14, 2026
Fake Names, Real Felonies, and a Startup Hunting for Hackers
Someone at a security conference last month kept getting cornered by a company that wanted to buy their hacking research. That nagging turned into a story. The company is called IRIS C2, it promises payouts as high as $7 million for software exploits, and according to a Krebs on Security investigation published July 8, the people behind it are two convicted felons with a long history of fraud and political dirty tricks.
What Happened?
IRIS C2 runs a loud pitch on X and LinkedIn. From an account created in January 2025, it has pulled in more than 4,000 followers by posting about vulnerabilities, AI, and exploits. Its message is blunt: bring us your best exploit work and we will pay big.
The website advertises interest in zero-day exploits, primitives, partial chains, and full capabilities across major platforms, with payouts from $10,000 to $7 million. It openly recruits young, self-described high-IQ engineers, no degree or experience required.
Krebs traced the operation. The site is run by a Virginia company called Calvexa Group LLC. The contact page for Calvexa forwards to the IRIS C2 site, and the address on Calvexa’s incorporation records belongs to Jack Burkman, a 60-year-old lobbyist. Burkman pushed questions to his longtime associate, 28-year-old Jacob Wohl.
That pairing is the story. Burkman and Wohl are known for building fake intelligence firms and using them to smear public figures, including fabricated sexual assault claims against former FBI director Robert Mueller and against Pete Buttigieg.
In 2022, both pleaded guilty to a felony telecommunications fraud charge in Ohio tied to a robocall scheme aimed at suppressing votes. In 2023, the FCC hit them with a $5.1 million fine, the largest it had ever sought under the Telephone Consumer Protection Act. Wohl has his own separate record, including a 2019 California guilty plea on four felony counts of selling unregistered securities.
Wohl told Krebs that Burkman is not involved day to day, that the firm shifted from penetration testing to selling phone-hacking services to the government, and that it employs about 40 people who are barred from listing the job on LinkedIn. He also admitted he has no formal training in the field, while claiming he knows more about tech than anyone.
What’s the Impact?
The trade in unknown vulnerabilities has always drawn a strange crowd. But selling offensive capability to the government is usually a quiet, careful business. IRIS C2 is the opposite of quiet.
Here is the practical worry. Researchers who hand exploits to an outfit like this have no idea who ends up holding that capability, or where it goes next. The company registered as a federal contractor but does not appear to hold any actual government contracts, so Wohl’s claims about federal work sit unverified.
A pattern also repeats: Politico reported in 2024 that the pair ran a now-defunct AI lobbying firm under the fake names “Jay Klein” and “Bill Sanders,” and some staff quit once they learned who their bosses really were. Anyone tempted by the payout should ask who is really on the other end of the deal.
How to Avoid This
This one is about due diligence, not patching.
If you research vulnerabilities, vet the buyer before you sell. Check who owns the company, who runs it, and whether their track record holds up. If a firm hides its employees and its leadership, treat that as a warning, not a quirk. Established exploit acquisition programs and bug bounties from known vendors exist for a reason. And if a recruiter is chasing you around a conference waving seven figures with no paperwork and no verifiable client, slow down and dig.
When the Vendor Is the Risk
Not every threat shows up as malware. Sometimes it walks in wearing a startup logo and a big payout. Secure.com’s Digital Security Teammates help teams keep their risk picture straight by:
- Pulling vendor, asset, and access risk into one register instead of scattered spreadsheets.
- Mapping who and what connects to your systems, so unknown third parties do not slip in unseen.
- Enforcing least privilege and MFA, so a single questionable relationship cannot hand over the keys.
- Producing audit-ready evidence of your governance checks when leadership or regulators ask.