Overview
In a detailed investigative report published July 8, 2026, Brian Krebs at KrebsOnSecurity exposes IRIS C2 — an offensive cybersecurity startup based in McLean, Virginia that has been aggressively soliciting zero-day vulnerabilities from security researchers with the promise of million-dollar payouts. The company, which claims to sell offensive cybersecurity capabilities to the U.S. government, is operated by Jacob Wohl and Jack Burkman: two convicted felons with a long history of fraud, disinformation operations, and political schemes carried out under assumed names.
The story raises urgent questions about the integrity of the vulnerability acquisition market and the risks to researchers who engage with unvetted zero-day brokers.
Who Are Wohl and Burkman?
Jacob Wohl, 28, and Jack Burkman are longtime associates with one of the most colorful documented fraud histories in recent American political and financial life.
Criminal and Legal Background
Jacob Wohl:
- 2017: Arizona Corporation Commission charged Wohl with 14 counts of securities fraud; ordered to pay $35,000 in restitution
- 2019: Pleaded guilty in California to four felony counts of selling unregistered securities; sentenced to two years of probation
- 2022: Pleaded guilty in Ohio to felony telecommunications fraud (the robocall voter suppression scheme); sentenced to fine, probation, and community service
- 2023 (civil): New York judge ruled he violated federal and state civil rights laws; agreed to a $1 million settlement with Burkman
- 2023 (FCC): The Federal Communications Commission imposed a $5.1 million fine — at the time the largest ever under the Telephone Consumer Protection Act — for robocall voter suppression campaigns
- 2025: Sentenced to probation after losing appeals on 15 felony counts in Cleveland related to robocalls targeting Black voters in Detroit before the 2020 election
Jack Burkman shares joint liability in the robocall-related convictions and penalties.
The Voter Suppression Robocall Scheme
Following the 2020 presidential election, Wohl and Burkman were prosecuted by multiple U.S. states for orchestrating robocall campaigns targeting battleground states. The calls spread false claims about mail-in ballots — specifically, that personal data from mail-in ballots would be shared with law enforcement to enforce debt collection and outstanding warrants. The campaigns disproportionately targeted Black voters in Detroit. They were indicted in Cleveland on 15 felony counts.
Pattern of Fake Intelligence Companies
Wohl and Burkman have created multiple fake intelligence-front companies used to fabricate and spread damaging claims about public figures, including:
- Fabricated sexual assault allegations against then-FBI Director Robert Mueller
- Fabricated sexual assault allegations against presidential candidate Pete Buttigieg
In 2024, Politico reported they operated an AI-based political lobbying platform called LobbyMatic under assumed names — Wohl as "Jay Klein" and Burkman as "Bill Sanders." Two employees resigned upon discovering their real identities. LobbyMatic is now defunct.
IRIS C2: The Offensive Security Front
IRIS C2 (Twitter/X: @C2IRIS) has operated since January 2025, accumulating over 4,000 followers on X by posting frequently about security vulnerabilities, AI, and software exploits. The company's public pitch:
- Claims to be headquartered in McLean, Virginia — a location with obvious associations to U.S. intelligence community contractors
- Promises million-dollar payouts for zero-day exploits in popular software
- Claims to sell phone-hacking services and offensive cybersecurity capabilities to the U.S. government
- Presents itself as acquiring vulnerabilities for government intelligence and law enforcement use
Krebs became aware of IRIS C2 after an attendee at a regional cybersecurity conference reported that Wohl and his "Calvexa Group" were approaching researchers at the conference about purchasing their vulnerability research — an unusually brazen tactic in a market that typically operates with strict confidentiality.
Red Flags for Security Researchers
In an interview with KrebsOnSecurity, Wohl made several admissions that should alarm any researcher considering engaging with IRIS C2:
- No formal security credentials: Wohl admitted he has "no formal education or training in computer science or information security" and describes his knowledge as self-taught
- Unverifiable government contracts: Wohl repeatedly claimed IRIS C2 holds federal government contracts but refused to name any, citing confidentiality
- Pattern repetition: The aggressive public posture, use of associated shell companies ("Calvexa Group"), and inability to substantiate business claims mirror the pair's prior fake intelligence operations
- Burkman's distance: Burkman referred all questions to Wohl, claiming no day-to-day involvement — a dynamic consistent with prior ventures
Why This Matters for the Security Community
The zero-day vulnerability market is a legitimate — if opaque — industry. Vetted government contractors, established brokers (Crowdfense, Zerodium, etc.), and bug bounty platforms all operate in this space. What makes IRIS C2 unusual and concerning is its combination of:
- Extraordinarily public solicitation — legitimate zero-day programs operate quietly; broadcasting million-dollar offers on social media is atypical
- Operators with documented fraud histories — vulnerability researchers who sell to IRIS C2 have no assurance the company is what it claims
- No verifiable business credentials — the operators cannot substantiate claimed government relationships or demonstrate relevant technical expertise
- Active conference recruitment — approaching researchers at industry events is an aggressive tactic not seen from established, reputable brokers
The concern isn't just about individual researchers being defrauded. If IRIS C2 acquires genuine zero-days and they end up in the wrong hands — or if the "offensive capabilities" being built attract national security attention to uninvolved researchers who submitted vulnerabilities — the downstream risk is significant.
Implications for the Vulnerability Market
This case illustrates broader risks in the vulnerability acquisition space that researchers and organizations should be aware of:
- Verify brokers before engaging: Established zero-day acquisition firms have verifiable track records, legal structures, and known relationships with government buyers
- Use escrow and legal agreements: Any sale of vulnerability research should involve legally binding agreements with verifiable counterparties
- Research the buyer: Background checks on vulnerability buyers are table stakes; OSINT on IRIS C2 would have surfaced Wohl and Burkman's histories quickly
- Report suspicious outreach: If approached by unknown parties offering large sums for vulnerability research, report the contact to trusted security community networks