Convicted Fraudsters Run Zero-Day Exploit Startup

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- IRIS C2 advertises payouts ranging from $10,000 to $7 million for zero-day exploits, partial chains, and vulnerability primitives, recruiting talent through a public X/Twitter account (@C2IRIS) with over 4,000 followers since January 2025.
- Calvexa Group LLC, the Virginia-registered federal contractor operating IRIS C2's website, lists an Arlington address occupied by lobbyist Jack Burkman, who referred all questions to his longtime associate Jacob Wohl.
- Wohl and Burkman pleaded guilty in 2022 to a felony telecommunications fraud charge in Ohio and agreed in March 2023 to a $1 million settlement in a New York civil rights case stemming from fabricated sexual assault and extramarital affair claims against public figures including Robert Mueller, Pete Buttigieg, Elizabeth Warren, and Kamala Harris.
- The FCC imposed a $5.1 million fine on the pair in June 2023 for 2020 robocall campaigns suppressing the Black vote in Detroit — at the time the largest fine ever sought under the Telephone Consumer Protection Act.
- Wohl pleaded guilty in California in 2019 to four felony counts of selling unregistered securities after the Arizona Corporation Commission charged him with 14 counts of securities fraud in 2017 and ordered $35,000 in restitution.
- Wohl told KrebsOnSecurity he has no formal computer science education, described IRIS C2 as having approximately 40 employees barred from listing the company on LinkedIn, and said the firm shifted from penetration testing to selling phone-hacking services to the government.
- LobbyMatic, the pair's defunct AI-based lobbying platform, was run under pseudonyms — Wohl as "Jay Klein" and Burkman as "Bill Sanders" — with at least two employees resigning after learning their true identities, per Politico.
Why it matters: Offensive cybersecurity contractors handling zero-day exploits for federal agencies typically operate under heavy vetting and discretion. KrebsOnSecurity explicitly notes the government-contracting market for vulnerability research is "far more circumspect" than IRIS C2's brazen public recruitment, and Wohl was already pitching researchers at a regional cybersecurity conference. A pair on probation for felony fraud with a record $5.1 million FCC penalty actively soliciting exploit submissions raises immediate questions about the access controls — or lack thereof — governing this segment of the federal supply chain.



