The emergence of IRIS C2, an offensive cybersecurity startup operating under Calvexa Group LLC, raises significant concerns, particularly given the individuals behind it. This company claims to acquire zero-day exploits, individual primitives, partial chains, and full capabilities across all major platforms, offering anywhere from $10,000 to $7 million for these exploits. While they boast around 40 employees, who are curiously not permitted to list their work on LinkedIn for "operational security," the more pressing issue is the documented history of the felons operating this cybersecurity startup.
The Implications of Felons Operating an Offensive Cybersecurity Startup
According to KrebsOnSecurity, IRIS C2, operating under the parent company Calvexa Group LLC, claims to acquire zero-day exploits, individual primitives, partial chains, and full capabilities across all major platforms. They state they will pay anywhere from $10,000 to $7 million for these exploits, depending on the target, reliability, and operational value. They even claim to have around 40 employees, though these employees aren't permitted to list their work on LinkedIn for "operational security."
The claims themselves are questionable, but the more significant issue is the individuals behind them. Jack Burkman, 60, and Jacob Wohl, 28, are the founders and operators of this controversial felons cybersecurity startup. Their shared history includes:
- Robocall Schemes: Prosecuted by multiple states for thousands of robocalls spreading false claims about mail-in ballots in 2020. Late last year, they were sentenced to probation for 15 felony counts related to a robocall scheme aimed at suppressing the black vote in Detroit.
- Telecommunications Fraud: They pleaded guilty to a single felony charge of telecommunications fraud in Ohio in 2022.
- Civil Rights Violations: A New York civil court ruled in March 2023 that they violated federal and state civil rights laws, leading to a $1 million settlement.
- FCC Fines: The Federal Communications Commission issued a $5.1 million fine in June 2023 for robocall campaigns (largest FCC fine under the Telephone Consumer Protection Act at the time).
- Fake Intelligence Operations: They have created fake intelligence companies to spread false claims (e.g., against Robert Mueller, Pete Buttigieg, Sen. Elizabeth Warren, Kamala Harris).
- Defunct AI Lobbying Platform: Politico reported in September 2024 that they operated defunct AI-based lobbying platform LobbyMatic using pseudonyms ("Bill Sanders" for Burkman, "Jay Klein" for Wohl).
Wohl himself has a history of securities fraud charges dating back to when he was 17. In 2017, the Arizona Corporation Commission charged him with 14 counts of securities fraud, ordering him to pay $35,000 in restitution. He also pleaded guilty in California in 2019 to four felony counts of selling unregistered securities. He has no formal education or training in computer science or information security. He describes himself as self-taught.
This documented history of deception and fraud directly undermines any claim of integrity necessary for operating in the offensive cybersecurity sector.
How Trust Breaks Down in the Exploit Market
This situation highlights an inherently flawed supply chain of trust, rather than a technical exploit chain, especially when a felons cybersecurity startup is involved.
- Exploit Acquisition: IRIS C2 states, according to Wohl, they acquire exploit primitives (preliminary findings, e.g., a flaw in a media decoder on a phone) and develop them into stable, reliable exploits. For a legitimate researcher, selling a zero-day is a decision with significant professional and ethical ramifications. Trust in the buyer's responsible use, or adherence to agreed ethical boundaries, is key. Payment reliability is also a concern.
- Given Burkman and Wohl's history of fraud and non-payment, a credible researcher risks their professional standing or legal exposure by selling to them. The risk of association with a scam, or misuse of an exploit traceable back to the researcher, is significant, especially when dealing with a felons cybersecurity startup.
- Exploit Development: Wohl claims they develop these primitives. His lack of formal background and their history of operating fake companies makes the technical rigor of this "development" questionable. Genuine exploit development involves rigorous reverse engineering, vulnerability research, bypass development, and extensive stability testing across target environments. Merely repackaging public Proof-of-Concepts (PoCs) as zero-days, as implied by Wohl's background, bypasses these critical stages, directly impacting quality control, reliability, and the understanding of underlying system vulnerabilities, a critical flaw for any felons cybersecurity startup.
- Exploit Sale: If they do acquire or develop exploits, who are the buyers? Wohl claims they sell phone-hacking services to the government. Calvexa Group LLC is registered as a federal contractor, but no public record of direct government contracts exists. This raises two primary concerns:
- Misuse: If these exploits are used by Burkman and Wohl for nefarious purposes, such as voter suppression schemes, the impact could be severe, further tarnishing the reputation of this felons cybersecurity startup.
- Vetting: Any government agency or private entity considering a purchase from IRIS C2 would require rigorous due diligence. Their history should be a clear disqualifier. Contracting with individuals holding multiple felony convictions for fraud and voter suppression, particularly for sensitive offensive capabilities, would introduce substantial operational and reputational liabilities for any government entity engaging with such a felons cybersecurity startup.
This situation highlights that the integrity of the supply chain is as important as the technical capability of a zero-day itself. When operators have a documented history of deception, the operation's legitimacy is severely undermined.
The Real Impact: Erosion of Credibility and Undermined Security
IRIS C2's operation, or even its mere existence, carries significant practical implications:
- Damage to the Legitimate Exploit Market: The zero-day market, despite its complexities, serves established national security and defense objectives. The entry of actors like Burkman and Wohl into this specialized domain damages the industry's reputation, making it more challenging for legitimate researchers to connect with trusted buyers and for responsible governments to acquire necessary capabilities. This ultimately erodes public trust in the market's integrity, especially when a felons cybersecurity startup is involved.
- Risk to Customers: Should IRIS C2 succeed in selling exploits, their customers would face considerable risks concerning product reliability, potential backdoors, and the cleanliness of the source. Given the founders' documented history, any acquisition from this felons cybersecurity startup would represent substantial operational or reputational exposure rather than a security tool.
- Regulatory Blind Spots: The ability of individuals with a clear and recent history of fraud and felony convictions to register a federal contracting company and claim operation in a specialized area indicates an identifiable regulatory oversight deficiency. This raises questions about the adequacy of vetting processes for such entities and the absence of clearer procedural safeguards to prevent known fraudsters from entering markets relevant to national security interests, particularly as a felons cybersecurity startup. This concern extends beyond offensive security to the broader ecosystem of government contracting and sensitive technology.
- Disinformation Risk: Burkman and Wohl possess a documented track record of establishing fake intelligence companies and disseminating false claims. Their operation of an "offensive cybersecurity startup" could provide them with a new platform and a veneer of technical credibility, potentially enabling continued disinformation activities.
The circumstances surrounding IRIS C2 highlight the existing challenges in vetting mechanisms for companies and individuals operating in sensitive cybersecurity sectors, particularly those dealing with offensive capabilities.
Thorough due diligence remains a foundational requirement. Any entity, government or private, considering engagement with a company like IRIS C2 would encounter Burkman and Wohl's public record of fraud and felony convictions. Overlooking this documented history would represent a significant lapse in basic vetting procedures.
The ease with which individuals with multiple felony convictions for fraud and voter suppression can register a company as a federal contractor in offensive cybersecurity indicates a systemic weakness in existing regulatory frameworks. This situation highlights the absence of clear disqualifiers for operating in such a specialized space, where preventing fraud is directly tied to national security interests.
The integrity of the cybersecurity community is implicitly challenged by operations such as IRIS C2. The continued legitimacy of the zero-day market, and the broader cybersecurity industry, depends on the adherence to professional standards and the avoidance of association with entities demonstrating a documented history of deception.
The existence of IRIS C2 is more than an unusual news item; it demonstrates that "offensive" security can take on a different meaning when the operators themselves pose a threat. Compromised trust in this sector directly undermines effective security, whether defensive or offensive.
The Imperative for Rigorous Due Diligence and Regulatory Reform
The ongoing saga of IRIS C2, a self-proclaimed offensive cybersecurity startup led by individuals with a documented history of fraud and felony convictions, underscores a critical vulnerability in our current regulatory and vetting systems. The ease with which Jack Burkman and Jacob Wohl, known felons, can establish and operate a company claiming to deal in sensitive zero-day exploits demands immediate attention. This situation is not merely an isolated incident but a symptom of broader systemic weaknesses that could have profound national security implications.
For any government agency or private enterprise, the decision to engage with a felons cybersecurity startup like IRIS C2 would represent an unacceptable level of risk. Basic due diligence would immediately flag the founders' extensive public record of deception, including robocall schemes, telecommunications fraud, and civil rights violations. Overlooking such a history for a vendor in the offensive cybersecurity space is not just negligent; it's a direct threat to operational integrity and public trust.
Furthermore, this case highlights the urgent need for robust regulatory reforms. There must be clearer disqualifiers and more stringent vetting processes for companies seeking federal contractor status, especially those operating in highly sensitive technological domains. The current framework appears insufficient to prevent known fraudsters from exploiting loopholes to gain a veneer of legitimacy, thereby undermining the credibility of the entire cybersecurity industry. Ensuring that such a felons cybersecurity startup cannot easily operate is paramount for national security.
Ultimately, the integrity of the zero-day exploit market and the broader cybersecurity ecosystem hinges on trust and accountability. When operators are known felons, the very foundation of that trust is compromised. This situation serves as a stark reminder that vigilance, transparency, and unwavering ethical standards are not just ideals but essential requirements for safeguarding our digital future.