The Mirage of IRIS C2: Inside the Cybersecurity Startup Run by Notorious Political Operatives

the-mirage-of-iris-c2-inside-the-cybersecurity-startup-run-by-notorious-political-operatives

In the high-stakes, shadow-filled world of zero-day vulnerability trading, reputation is usually the only currency that matters. It is a market traditionally dominated by elite, vetted research firms and government contractors who operate with extreme discretion. However, a new player has emerged on the scene—a McLean, Virginia-based outfit called IRIS C2—that is shattering industry norms by openly advertising million-dollar payouts for software exploits on social media.

Beneath the veneer of a high-tech offensive cybersecurity firm lies a far more controversial reality. An investigation into the company’s corporate infrastructure and leadership reveals that IRIS C2 is the latest venture from Jack Burkman and Jacob Wohl, a duo of far-right conspiracy theorists and convicted felons whose track record includes a string of failed intelligence firms, fraudulent lobbying platforms, and criminal convictions for election interference.

The Rise of IRIS C2: A Digital Pivot

Since its inception in January 2025, the X (formerly Twitter) account @C2IRIS has aggressively courted the cybersecurity community. Boasting over 4,000 followers, the account frequently broadcasts technical content regarding software vulnerabilities and artificial intelligence, all while promising life-changing compensation for talented researchers.

"Our business model is this," reads a pinned post on their profile. "Attract the very best vulnerability researchers and exploit developers in the world to join our company. This mostly revolves around junior engineers with raw talent/extremely high IQ. We don’t care if they have a college degree/industry experience."

The company’s website, irisc2[.]com, mirrors this aggressive recruitment posture, detailing a price list that would make even the most established exploit brokers blush. The site claims to acquire "zero-day exploits, individual primitives, partial chains, and full capabilities across all major platforms," with payouts ranging from a modest $10,000 to a staggering $7 million, contingent on the "target, reliability, and operational value" of the exploit.

Felons, Fraudsters Flog Offensive Cybersecurity Startup

Despite this bold public posturing, the company’s actual footprint is shrouded in obscurity. Government contracting records reveal that the firm is operated by Calvexa Group LLC, a company registered as a federal contractor that, according to data from g2exchange.com, appears to lack any active, verified government contracts. When visitors attempt to contact Calvexa Group via its corporate site, they are simply redirected to the IRIS C2 landing page, suggesting a thin, interconnected web of entities rather than a robust, multi-layered corporation.

A Chronology of Deception

To understand the nature of IRIS C2, one must look at the architects behind the curtain. The address listed in the incorporation records for Calvexa Group LLC leads directly to an Arlington, Virginia office occupied by Jack Burkman, a 60-year-old lobbyist known for his decades-long presence in D.C. political circles. When queried about the operation, Burkman directed all questions to his longtime collaborator, 28-year-old Jacob Wohl.

The partnership between Burkman and Wohl is infamous for a series of "intelligence" operations that frequently collapsed under the weight of their own fabrications:

  • 2015-2017: A teenage Wohl begins his career in finance, only to be charged by the Arizona Corporation Commission with 14 counts of securities fraud. He is ordered to pay $35,000 in restitution.
  • 2018-2019: The duo gains national notoriety for fabricating sexual assault allegations against then-FBI Director Robert Mueller and Democratic presidential candidate Pete Buttigieg. They also hold press conferences alleging extramarital affairs involving Senator Elizabeth Warren and then-candidate Kamala Harris.
  • 2019: Wohl pleads guilty in California to four felony counts of selling unregistered securities, receiving two years of probation.
  • 2020: The pair orchestrates a massive robocall campaign targeting voters in battleground states with disinformation regarding mail-in ballots.
  • 2022-2023: A series of legal dominoes fall. The pair pleads guilty to telecommunications fraud in Ohio, receives a $1 million civil settlement in New York for violating civil rights laws, and is slapped with a record-breaking $5.1 million fine by the FCC for their robocall schemes.
  • 2024: The duo launches "LobbyMatic," an AI-based lobbying platform. An investigation by Politico reveals they were operating the firm under pseudonyms—Wohl as "Jay Klein" and Burkman as "Bill Sanders"—leading to employee resignations once the deception was exposed.

Supporting Data: The Technical Credibility Gap

The cybersecurity industry thrives on verifiable expertise—GitHub repositories, CVE (Common Vulnerabilities and Exposures) credits, and peer-reviewed research. In contrast, the leadership of IRIS C2 offers little in the way of a professional pedigree.

When interviewed, Wohl openly admitted that he lacks any formal education or training in computer science or cybersecurity. His technical proficiency, he claims, is entirely self-taught. "I know more about tech than anyone," Wohl stated during a phone call with KrebsOnSecurity. "My background has always been extremely technical, and I’ve always been deeply into tech."

Felons, Fraudsters Flog Offensive Cybersecurity Startup

While Wohl claims that the company employs approximately 40 people, he justifies the lack of public profiles for these individuals by citing "operational security." However, industry observers find the claim of 40 employees highly suspect, noting that such a staff size would require significant capital overhead that is difficult to reconcile with the company’s lack of public contracts or proven track record.

Wohl describes their workflow as taking "preliminary" findings from researchers—such as an exploit primitive—and refining them into stable, weaponized capabilities. This "middleman" model is common in the gray market, but the open solicitation of such sensitive code by individuals with a history of fraud creates an environment ripe for exploitation, not just of software, but of the researchers themselves.

Official Responses and Industry Skepticism

The cybersecurity community has responded to the emergence of IRIS C2 with a mixture of amusement and alarm. Legitimate vulnerability brokers typically operate with extreme caution, requiring non-disclosure agreements, rigorous background checks, and verified credentials before even acknowledging a researcher’s submission.

The brazenness of IRIS C2—which has been spotted "pestering" attendees at regional security conferences to sell their research—is an anomaly. When pressed about his company’s government contracts, Wohl shifted between claiming active work and stating he was "not at liberty to speak publicly" about them.

The disconnect between the professional image the company attempts to project and the known history of its founders remains the central tension. As seen with the LobbyMatic venture, the pattern is consistent: the creation of a sophisticated-sounding entity, the use of grandiose claims regarding proprietary AI or technical capabilities, and a rapid pivot once the reality of the business model is scrutinized.

Felons, Fraudsters Flog Offensive Cybersecurity Startup

Implications for the Cybersecurity Ecosystem

The existence of IRIS C2 poses several risks to the broader information security landscape:

  1. Researcher Exploitation: Young, talented, or inexperienced researchers lured by the promise of million-dollar payouts may unwittingly hand over sensitive, high-value exploits to individuals who have no history of ethical handling of data.
  2. Reputational Damage: The conflation of "offensive cybersecurity" with the antics of political provocateurs can delegitimize the work of ethical researchers and legitimate government contractors who operate under strict legal and moral frameworks.
  3. Data Security: If IRIS C2 is, as it claims, collecting "full capabilities" for major platforms, the question of where this data is stored and who has access to it becomes a matter of national security. Given the history of the founders, there is little reason to trust that these exploits are being handled with the security protocols required for such sensitive information.

As of mid-2026, IRIS C2 continues to post to X, maintaining the facade of a high-end vulnerability shop. However, for those familiar with the history of Jack Burkman and Jacob Wohl, the venture appears less like a legitimate cybersecurity firm and more like a high-tech iteration of their previous grifts—a digital mirage designed to capture attention and capital, regardless of the ultimate cost to their participants or the industry at large.

The "miracle of technology" they claim to offer remains, as it has for the past decade, entirely in the realm of the imagination.