Wed 08 Jul 2026 / 11:45 ET
Kernel
Security 4 min read

IRIS C2’s zero-day pitch traces back to Jacob Wohl and Jack Burkman

KrebsOnSecurity reports that IRIS C2, a startup seeking phone exploits, is tied to convicted felons Jacob Wohl and Jack Burkman.

Mara Chen-Doyle

By Mara Chen-Doyle / Staff Writer

IRIS C2, a Virginia-linked offensive security startup advertising payments of up to $7 million for software exploits, is being operated by Jacob Wohl and connected to Jack Burkman, according to reporting by KrebsOnSecurity. That matters for vulnerability researchers because the company is asking for high-value zero-day work, the kind that can end up in government hacking tools, while its operators have a documented history of fraud, false political operations and work under assumed names.

The company’s X account, @C2IRIS, was created in January 2025 and has attracted more than 4,000 followers while posting about exploits, AI and security bugs, KrebsOnSecurity reported. IRIS C2 describes itself as a McLean, Virginia, business selling offensive cyber capabilities. Its website says it buys zero-days, exploit primitives, partial chains and full capabilities across major platforms, with listed payouts from $10,000 to $7 million based on the target, reliability and operational value.

A pinned post from the IRIS C2 account says the company wants to recruit top vulnerability researchers and exploit developers, including junior engineers without degrees or industry experience. The company’s website lists open jobs, and its LinkedIn page has said it received a large number of applications, according to KrebsOnSecurity.

The company behind the site

Government contracting portal G2Exchange identifies irisc2.com as operated by Calvexa Group LLC, a Virginia company. G2Exchange lists Calvexa as registered as a federal contractor, but shows no direct government contracts for the company. KrebsOnSecurity reported that Calvexa’s own website forwards visitors to IRIS C2.

Incorporation records list an Arlington, Virginia, address for Calvexa that is occupied by Burkman, the founder and managing partner of lobbying firm Burkman & Associates, according to KrebsOnSecurity. Burkman referred questions about IRIS C2 to Wohl, his longtime associate.

Wohl told KrebsOnSecurity that Burkman is not involved in IRIS C2’s daily operations. Wohl said the company began with penetration testing and recently shifted toward selling phone-hacking services to the government. He repeatedly referred to federal government contracts, but declined to provide details, saying he could not discuss them publicly.

Wohl also told KrebsOnSecurity that he has no formal computer science or information security training and is self-taught. He said researchers regularly bring IRIS C2 vulnerability findings, often at an early stage. In his account, IRIS C2 takes an exploit idea, such as a bug in a phone media decoder, and works to make it reliable enough for operational use.

A long paper trail

Wohl and Burkman have previously created fake intelligence companies and used them in political smear campaigns, including fabricated allegations against Robert Mueller and Pete Buttigieg, according to public records summarized by KrebsOnSecurity. In 2019, the pair also held press conferences making false claims about Sen. Elizabeth Warren and Kamala Harris.

After the 2020 election, several states prosecuted Wohl and Burkman over robocalls that spread false claims about mail-in ballots to residents in battleground states. In Ohio, they pleaded guilty in 2022 to one felony telecommunications fraud charge and received fines, probation and community service. The Associated Press reported that they were later sentenced to probation after appeals were rejected in a Cleveland case tied to robocalls aimed at Black voters in Detroit.

A New York judge ruled in 2023 that Wohl and Burkman violated federal and state civil rights laws, and the two agreed to a $1 million settlement, according to KrebsOnSecurity. The Federal Communications Commission also imposed a $5.1 million fine in 2023 over the robocalls, which the agency described at the time as its largest proposed fine under the Telephone Consumer Protection Act.

Wohl has a separate securities record. The Arizona Corporation Commission charged him and his investment funds in 2017 with 14 counts of securities fraud and ordered $35,000 in restitution. In 2019, he pleaded guilty in California to four felony counts of selling unregistered securities and received two years of probation.

Politico reported in 2024 that Wohl and Burkman had operated an AI lobbying startup called LobbyMatic under pseudonyms, with Wohl using “Jay Klein” and Burkman using “Bill Sanders.” Politico reported that some employees learned the founders’ identities only after joining or leaving the company, and that two resigned after finding out.

Wohl told KrebsOnSecurity that IRIS C2 has about 40 employees, but said they are barred from listing the company on LinkedIn for operational security reasons. No government contract work for Calvexa appears in G2Exchange’s listing, and Wohl did not provide public details that would verify his claims about federal contracts.

This story draws on original reporting from Krebs on Security.

More Security/

view all ↗