Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Felons, Fraudsters Flog Offensive Cybersecurity Startup
Felons, Fraudsters Flog Offensive Cybersecurity Startup
NEWS

Felons, Fraudsters Flog Offensive Cybersecurity Startup

Brian Krebs investigates IRIS C2, an offensive cybersecurity startup dangling million-dollar zero-day payouts that is run by Jacob Wohl and Jack Burkman — convicted felons and serial fraudsters with a documented history of fake intelligence companies and voter suppression schemes.

Dylan H.

News Desk

July 8, 2026
6 min read

Overview

In a detailed investigative report published July 8, 2026, Brian Krebs at KrebsOnSecurity exposes IRIS C2 — an offensive cybersecurity startup based in McLean, Virginia that has been aggressively soliciting zero-day vulnerabilities from security researchers with the promise of million-dollar payouts. The company, which claims to sell offensive cybersecurity capabilities to the U.S. government, is operated by Jacob Wohl and Jack Burkman: two convicted felons with a long history of fraud, disinformation operations, and political schemes carried out under assumed names.

The story raises urgent questions about the integrity of the vulnerability acquisition market and the risks to researchers who engage with unvetted zero-day brokers.

Who Are Wohl and Burkman?

Jacob Wohl, 28, and Jack Burkman are longtime associates with one of the most colorful documented fraud histories in recent American political and financial life.

Criminal and Legal Background

Jacob Wohl:

  • 2017: Arizona Corporation Commission charged Wohl with 14 counts of securities fraud; ordered to pay $35,000 in restitution
  • 2019: Pleaded guilty in California to four felony counts of selling unregistered securities; sentenced to two years of probation
  • 2022: Pleaded guilty in Ohio to felony telecommunications fraud (the robocall voter suppression scheme); sentenced to fine, probation, and community service
  • 2023 (civil): New York judge ruled he violated federal and state civil rights laws; agreed to a $1 million settlement with Burkman
  • 2023 (FCC): The Federal Communications Commission imposed a $5.1 million fine — at the time the largest ever under the Telephone Consumer Protection Act — for robocall voter suppression campaigns
  • 2025: Sentenced to probation after losing appeals on 15 felony counts in Cleveland related to robocalls targeting Black voters in Detroit before the 2020 election

Jack Burkman shares joint liability in the robocall-related convictions and penalties.

The Voter Suppression Robocall Scheme

Following the 2020 presidential election, Wohl and Burkman were prosecuted by multiple U.S. states for orchestrating robocall campaigns targeting battleground states. The calls spread false claims about mail-in ballots — specifically, that personal data from mail-in ballots would be shared with law enforcement to enforce debt collection and outstanding warrants. The campaigns disproportionately targeted Black voters in Detroit. They were indicted in Cleveland on 15 felony counts.

Pattern of Fake Intelligence Companies

Wohl and Burkman have created multiple fake intelligence-front companies used to fabricate and spread damaging claims about public figures, including:

  • Fabricated sexual assault allegations against then-FBI Director Robert Mueller
  • Fabricated sexual assault allegations against presidential candidate Pete Buttigieg

In 2024, Politico reported they operated an AI-based political lobbying platform called LobbyMatic under assumed names — Wohl as "Jay Klein" and Burkman as "Bill Sanders." Two employees resigned upon discovering their real identities. LobbyMatic is now defunct.

IRIS C2: The Offensive Security Front

IRIS C2 (Twitter/X: @C2IRIS) has operated since January 2025, accumulating over 4,000 followers on X by posting frequently about security vulnerabilities, AI, and software exploits. The company's public pitch:

  • Claims to be headquartered in McLean, Virginia — a location with obvious associations to U.S. intelligence community contractors
  • Promises million-dollar payouts for zero-day exploits in popular software
  • Claims to sell phone-hacking services and offensive cybersecurity capabilities to the U.S. government
  • Presents itself as acquiring vulnerabilities for government intelligence and law enforcement use

Krebs became aware of IRIS C2 after an attendee at a regional cybersecurity conference reported that Wohl and his "Calvexa Group" were approaching researchers at the conference about purchasing their vulnerability research — an unusually brazen tactic in a market that typically operates with strict confidentiality.

Red Flags for Security Researchers

In an interview with KrebsOnSecurity, Wohl made several admissions that should alarm any researcher considering engaging with IRIS C2:

  • No formal security credentials: Wohl admitted he has "no formal education or training in computer science or information security" and describes his knowledge as self-taught
  • Unverifiable government contracts: Wohl repeatedly claimed IRIS C2 holds federal government contracts but refused to name any, citing confidentiality
  • Pattern repetition: The aggressive public posture, use of associated shell companies ("Calvexa Group"), and inability to substantiate business claims mirror the pair's prior fake intelligence operations
  • Burkman's distance: Burkman referred all questions to Wohl, claiming no day-to-day involvement — a dynamic consistent with prior ventures

Why This Matters for the Security Community

The zero-day vulnerability market is a legitimate — if opaque — industry. Vetted government contractors, established brokers (Crowdfense, Zerodium, etc.), and bug bounty platforms all operate in this space. What makes IRIS C2 unusual and concerning is its combination of:

  1. Extraordinarily public solicitation — legitimate zero-day programs operate quietly; broadcasting million-dollar offers on social media is atypical
  2. Operators with documented fraud histories — vulnerability researchers who sell to IRIS C2 have no assurance the company is what it claims
  3. No verifiable business credentials — the operators cannot substantiate claimed government relationships or demonstrate relevant technical expertise
  4. Active conference recruitment — approaching researchers at industry events is an aggressive tactic not seen from established, reputable brokers

The concern isn't just about individual researchers being defrauded. If IRIS C2 acquires genuine zero-days and they end up in the wrong hands — or if the "offensive capabilities" being built attract national security attention to uninvolved researchers who submitted vulnerabilities — the downstream risk is significant.

Implications for the Vulnerability Market

This case illustrates broader risks in the vulnerability acquisition space that researchers and organizations should be aware of:

  • Verify brokers before engaging: Established zero-day acquisition firms have verifiable track records, legal structures, and known relationships with government buyers
  • Use escrow and legal agreements: Any sale of vulnerability research should involve legally binding agreements with verifiable counterparties
  • Research the buyer: Background checks on vulnerability buyers are table stakes; OSINT on IRIS C2 would have surfaced Wohl and Burkman's histories quickly
  • Report suspicious outreach: If approached by unknown parties offering large sums for vulnerability research, report the contact to trusted security community networks

References

  • KrebsOnSecurity: Felons, Fraudsters Flog Offensive Cybersecurity Startup
#Zero-Day#Industry Intel#Fraud#Security Research

Related Articles

Microsoft Says It Will Not Pursue Security Researchers After Zero-Day Backlash

Following intense backlash from the security research community over Microsoft's removal of GitHub researcher accounts and statements labeling zero-day…

7 min read

Microsoft's Zero-Day Legal Threats Spark Backlash

After a disgruntled security researcher published several unpatched zero-day exploits in recent weeks, Microsoft seemingly indicated that criminal charges…

5 min read

Microsoft Says Zero-Day Public Releases Are 'Never Justifiable' as Researcher Threatens More Drops

Microsoft publicly condemned unauthorized zero-day disclosures as 'never justifiable' after a security researcher published working proof-of-concept...

6 min read
Back to all News