In the high-stakes, shadow-filled world of offensive cybersecurity, reputation is typically the primary currency. Government contractors, intelligence agencies, and private vulnerability brokers usually operate with a veneer of extreme discretion, vetting their talent through rigorous background checks and decades of industry experience. However, a new player has entered the arena, operating with a brazen lack of pedigree that has sent shockwaves through the cybersecurity community: IRIS C2.
The McLean, Virginia-based startup has emerged with a promise of million-dollar payouts for "zero-day" security vulnerabilities—flaws in software previously unknown to the vendor. While the company claims to be a cutting-edge player in the offensive security space, a deeper investigation into its leadership reveals a pair of figures far more familiar with the criminal courtroom than the server room: far-right conspiracy theorists and convicted felons Jack Burkman and Jacob Wohl.
The Mirage of Expertise: What is IRIS C2?
Since its quiet debut on the social media platform X (formerly Twitter) in January 2025, the account @C2IRIS has cultivated a following of over 4,000 users. Its feed is a relentless stream of discourse on software exploits, artificial intelligence, and the promise of massive financial rewards for "raw talent."
The company’s website, irisc2[.]com, pitches a business model centered on the acquisition of "zero-day exploits, individual primitives, partial chains, and full capabilities across all major platforms." The site boldly advertises payouts ranging from $10,000 to as much as $7 million, depending on the operational value and reliability of the provided exploit.
By positioning itself as an unconventional disruptor, the firm claims it is uninterested in traditional credentials. A pinned post on their X account explicitly states: "We don’t care if they have a college degree/industry experience." This aggressive recruiting tactic is designed to bypass the traditional academic and professional vetting processes that typically guard the entrance to the lucrative offensive security market.

A History of Deception: The Wohl-Burkman Partnership
To understand the skepticism surrounding IRIS C2, one must look at the track record of its principals. Jacob Wohl, 28, and Jack Burkman, 60, have spent the better part of a decade operating at the intersection of political disinformation and fraudulent enterprise.
A Pattern of Fabricated Intelligence
The duo has repeatedly used the facade of "intelligence" companies to launch smear campaigns against high-profile targets. Their methodology often involves the creation of shell companies, the use of pseudonyms, and the dissemination of sensationalized, fabricated claims. Their history includes:
- The Mueller/Buttigieg Smear Campaigns: The pair were behind elaborate attempts to manufacture sexual assault allegations against former FBI Director Robert Mueller and former South Bend Mayor Pete Buttigieg.
- Targeting 2020 Candidates: In 2019, they organized press conferences peddling false allegations of extramarital affairs against Sen. Elizabeth Warren and then-candidate Kamala Harris.
- The LobbyMatic Debacle: As recently as 2024, the duo operated an AI-based lobbying platform called "LobbyMatic." Investigations by Politico revealed that the pair operated the company under assumed names—Wohl as "Jay Klein" and Burkman as "Bill Sanders." When employees discovered the true identities and history of their employers, multiple staff members resigned in protest.
The Legal Toll: From Robocalls to Securities Fraud
Their operations have drawn the ire of federal and state authorities repeatedly. In 2022, both men pleaded guilty to a felony charge of telecommunications fraud in Ohio, stemming from a 2020 scheme involving thousands of robocalls aimed at suppressing the vote in Detroit. They were sentenced to probation, fines, and community service.
Furthermore, in 2023, the Federal Communications Commission (FCC) levied a staggering $5.1 million fine against the pair—the largest in the agency’s history under the Telephone Consumer Protection Act—for their roles in the illicit robocall campaigns. Wohl’s legal history even predates his partnership with Burkman; at 17, he began a series of investment firms that ultimately led to charges of securities fraud by the Arizona Corporation Commission in 2017, followed by a 2019 guilty plea in California for selling unregistered securities.
The Architecture of the Current Venture
Current business registration records indicate that IRIS C2 is operated by Calvexa Group LLC. While Calvexa is registered as a federal contractor, the government contracting portal g2exchange.com shows no record of the firm actually performing active government contracts.

When researchers or journalists attempt to track the physical footprint of the company, they are led to an Arlington, Virginia address associated with "Burkman & Associates." When confronted with questions regarding the nature of IRIS C2, Burkman directed all inquiries to Wohl, effectively maintaining the pair’s standard operating procedure of shifting accountability.
The "Tech Guru" Persona
In an interview with KrebsOnSecurity, Jacob Wohl presented himself as a self-taught technical savant. Despite lacking any formal computer science education or professional background in cybersecurity, Wohl was adamant about his expertise.
"I know more about tech than anyone," Wohl claimed. "My background has always been extremely technical… People know me as someone who is able to create spectacularly exquisite capabilities that would make your head spin."
Wohl characterizes the company’s operations as a high-end service that takes "preliminary" vulnerability findings and refines them into "stable and reliable" exploits. He claims to have 40 employees, though he notes that they are prohibited from listing their employment on professional networks like LinkedIn for "operational security reasons." This secrecy, while common in legitimate black-hat research firms, carries a different connotation when the CEO is a man known for operating companies under aliases.
Implications for the Cybersecurity Industry
The emergence of IRIS C2 raises profound questions about the oversight of the private offensive security market. Traditionally, firms that sell zero-day capabilities to the government undergo rigorous scrutiny regarding their compliance, their corporate history, and the reliability of their research.

Erosion of Trust
The cybersecurity community relies on a degree of professional trust. By dangling multi-million dollar incentives to "junior engineers" without vetting their background, IRIS C2 risks polluting the vulnerability market with unverified, potentially dangerous code. Moreover, the lack of transparency in their hiring practices—where employees are encouraged to hide their employment status—creates an environment where accountability is virtually impossible.
The Risk of State-Actor Proximity
While Wohl claims the company works on "federal government contracts" (though he remains evasive when asked for details), the involvement of individuals with a history of foreign-influence-style disinformation campaigns is alarming. If a company led by individuals with a history of criminal fraud is successfully navigating the federal contracting space, it suggests a significant blind spot in the vetting processes currently utilized by government agencies.
The Future of "Offensive" Brokerage
If IRIS C2 is indeed successful in attracting talent, it highlights a dangerous trend: the professionalization of "clout-chasing" in the security world. By gamifying the exploit-brokerage market with the language of a hedge fund, the firm may attract researchers who are more interested in a payday than in the ethical implications of their work.
Conclusion
The story of IRIS C2 is not merely a tale of a cybersecurity startup; it is a case study in the persistence of serial fraudsters. By pivoting from the political theater of the 2020 election to the high-tech, high-stakes world of zero-day vulnerabilities, Jacob Wohl and Jack Burkman have found a new venue for their unique brand of chaos.
For the cybersecurity industry, the message is clear: the barrier to entry for the offensive security market is dangerously porous. As IRIS C2 continues to solicit talent, the burden of verification now falls heavily on the researchers and potential clients who must decide whether they are willing to align themselves with a company whose history is built on a foundation of pseudonyms, fines, and felony convictions. The "exquisite capabilities" promised by Wohl remain, to date, as unproven as the reputations of the men who claim to possess them.

