• Home  
  • Felons Run Offensive Cybersecurity Startup IRIS C2
- Cybersecurity

Felons Run Offensive Cybersecurity Startup IRIS C2

A deep dive into IRIS C2, the offensive cybersecurity startup run by convicted felons, exposing its dubious zero‑day bounty model and shady ownership.

Felons Run Offensive Cybersecurity Startup IRIS C2

IRIS C2’s X/Twitter account has gained more than 4,000 followers since its creation in January 2025, posting frequently about security vulnerabilities, AI and software exploits. That’s a lot of noise for a company that claims to sell offensive cybersecurity capabilities out of McLean, Va.

Key Takeaways

  • IRIS C2 is operated by Calvexa Group LLC, a Virginia‑registered federal contractor with no known government contracts.
  • The firm promises payouts ranging from $10,000 to $7 million for zero‑day exploits.
  • Founders Jack Burkman (60) and Jacob Wohl (28) have a history of creating fake intelligence firms and spreading disinformation.
  • The company’s hiring rhetoric focuses on raw talent and “extremely high IQ” rather than formal credentials.
  • Public records link the firm’s address to Burkman’s lobbying office, not a traditional tech incubator.

Offensive Cybersecurity Startup IRIS C2 Draws Scrutiny

When we first saw the pinned post on IRIS C2’s X account, it read, “Our business model is this,” followed by a promise to attract “the very best vulnerability researchers and exploit developers in the world.” That’s a bold claim for a venture that openly markets “zero‑day exploits, individual primitives, partial chains, and full capabilities across all major platforms.” The language is unapologetically mercenary, and the company backs it up with a public salary sheet that lists payouts up to $7 million for the most valuable exploits.

Who’s Behind the Curtain?

The g2exchange.com government‑contracting portal shows the domain irisc2.com is owned by Calvexa Group LLC. Calvexa is registered in Virginia, but its original report notes that the firm appears to have no active government contracts. A simple search of the Arlington, Va. address listed for Calvexa leads to the office of Jack Burkman, the founder of lobbying firm Burkman & Associates. When asked about IRIS C2, Burkman deflected, saying Jacob Wohl should be contacted instead.

Burman and Wohl: A Track Record of Deception

Burman (60) and Wohl (28) have a “storied history” of creating fake intelligence companies to push false narratives. In 2019 they staged press conferences alleging extramarital affairs by Sen. Elizabeth Warren, and they later fabricated sexual assault claims against former FBI director Robert Mueller and then‑presidential candidate Pete Buttigieg. Those episodes show a pattern of using fabricated entities to manipulate public perception, which raises serious questions about the credibility of a startup that promises to sell weaponized software.

Historical Context of Offensive Bounty Programs

Zero‑day markets have existed in various forms for decades, but the early 2020s saw a noticeable shift toward publicly advertised bounty sheets. Companies began posting large, tiered payouts as a way to attract independent researchers. That trend created a feedback loop: higher rewards drew more talent, and more talent produced more sophisticated exploits. The result was a marketplace that resembled a high‑stakes auction.

Traditional bug‑bounty platforms usually limit rewards to a few hundred thousand dollars, focusing on responsible disclosure. In contrast, the newer offensive‑focused models reward the ability to bypass disclosure entirely. The distinction is subtle, yet it changes the incentives for a researcher deciding whether to go public or to sell privately.

IRIS C2 entered this space with a public salary sheet that dwarfs most conventional programs. By positioning itself as a “marketplace for exploit developers,” the firm taps into a niche that has been growing but remains poorly understood by mainstream security teams.

Zero‑Day Bounties That Sound Like a Money‑Laundering Scheme

The IRIS C2 website promises payouts from $10,000 to $7 million depending on target, reliability, and operational value. That’s a staggering range, especially when you consider that most legitimate bug‑bounty programs cap rewards at a few hundred thousand dollars. The company even says it “doesn’t care if they have a college degree/industry experience,” which reads like an invitation to anyone with the right skill set — or the willingness to ignore legal boundaries.

Hiring pages on the IRIS C2 site list positions like “Junior Engineer – Raw Talent” and “Exploit Developer – High IQ Required,” while a LinkedIn post boasts an “overwhelming number of applications” from potential employees. That’s a red flag: a startup that needs to pull in talent by promising massive payouts is likely to attract both skilled hackers and those looking for a quick cash grab.

Legal Grey Zones

Because Calvexa Group LLC is a registered federal contractor, the company could theoretically secure government contracts. Yet the g2exchange.com database shows no active contracts tied to Calvexa. That gap suggests the firm might be using its contractor status as a veneer of legitimacy while operating in a legal grey zone. If the company ever lands a classified contract, the lack of transparency could complicate oversight.

Regulatory Landscape

Federal agencies have begun to outline expectations for vulnerability disclosure, but the rules are still evolving. Existing frameworks tend to focus on defensive research, leaving offensive bounty models largely unaddressed. That gap leaves companies like IRIS C2 operating with minimal oversight.

State‑level legislation is also emerging, with a few jurisdictions proposing stricter reporting requirements for exploit sales. Those proposals often clash with the desire of private firms to keep their research pipelines confidential. The tension creates an environment where compliance can be ambiguous.

For a contractor that claims to be eligible for federal work, any future contract would likely trigger a review of its procurement practices. Regulators could demand greater visibility into payout structures and the end‑users of the exploits. Until those rules solidify, the market remains a wildcard.

Why This Matters to the Tech Community

Developers and founders should care because the existence of a marketplace that openly solicits zero‑day exploits can destabilize the broader security ecosystem. When high‑pay bounties are dangled, researchers might be tempted to bypass responsible disclosure routes and sell directly to the highest bidder. That’s a dangerous incentive structure that could increase the volume of undisclosed vulnerabilities in the wild.

the involvement of individuals with a documented history of misinformation means the startup could become a conduit for state‑or‑non‑state actors seeking to weaponize exploits without accountability. That’s a scenario the cybersecurity industry has warned about for years, yet here we have a concrete example that matches those warnings.

Potential Ripple Effects

  • Increased competition for talent may drive up exploit prices, making it more lucrative for malicious actors.
  • Software vendors could see a rise in undisclosed zero‑days, forcing them to allocate more resources to internal security testing.
  • Regulators may feel pressure to tighten rules around bounty programs and the sale of offensive tools.

What This Means For You

If you’re a developer responsible for securing a product, you should revisit your vulnerability disclosure policy. Consider offering competitive rewards that don’t exceed the market rates highlighted by IRIS C2, and make sure your program encourages responsible reporting rather than outright sale. That’s the safest route when the market is trying to lure talent with multi‑million‑dollar payouts.

For founders building security‑focused startups, the IRIS C2 case is a cautionary tale. Align your hiring language with industry norms, and avoid the temptation to promise “extremely high IQ” as a substitute for proven experience. Transparency in ownership and funding can protect your brand from being associated with dubious actors. That’s how you maintain credibility in a field where trust is everything.

Scenario 1: A Mid‑Size SaaS Provider

A company that runs a cloud‑based CRM discovers a critical remote‑code‑execution bug in its API. The internal team can patch it quickly, but a third‑party researcher contacts IRIS C2 with a $500,000 offer for the same flaw. The SaaS provider now faces a choice: accept the payout and keep the exploit private, or disclose it responsibly. By maintaining a clear bounty policy that rewards disclosure but caps payouts at levels comparable to industry standards, the provider can steer the researcher toward a public fix. That approach protects customers and avoids feeding a market that thrives on secrecy.

Scenario 2: An IoT Startup

Imagine a hardware firm that builds smart thermostats. Its devices run a custom Linux kernel, and a researcher finds a privilege‑escalation chain that could let an attacker take control of any unit. IRIS C2 advertises a $2 million reward for a full‑chain exploit targeting similar firmware. The startup must decide whether to launch an emergency recall or to work with the researcher under a non‑disclosure agreement. If the firm has already established a responsible‑disclosure channel, it can negotiate a modest reward and obtain the exploit details without exposing the broader market. That reduces the risk of the vulnerability leaking to malicious actors.

Scenario 3: A Security Consultancy

A boutique firm offers penetration‑testing services to financial institutions. One of its consultants uncovers a zero‑day that could bypass multi‑factor authentication. IRIS C2 reaches out with a $7 million offer for the same technique. The consultancy must weigh its reputation against the lure of a life‑changing sum. By adhering to a code of ethics that prioritizes client safety over personal gain, the consultant can decline the offer and instead disclose the flaw through a coordinated channel. This reinforces the consultancy’s standing and helps the industry stay resilient.

Key Questions Remaining

  • How will existing bug‑bounty platforms adapt if more firms adopt IRIS C2‑style payout structures?
  • What mechanisms can regulators employ to monitor offensive cyber‑security contractors without stifling legitimate research?
  • Will the presence of high‑pay exploit markets push more talent toward illicit activities, or will it encourage the development of stronger defensive tools?

Sources: Krebs on Security, Wikipedia

About the Author

— AI & Technology Reporter

Halil Kale is an AI and technology reporter at AI Post Daily, where he covers artificial intelligence, machine learning, cybersecurity, and the business of tech. With a background in computer science and over five years of experience tracking the AI industry, Halil specializes in translating complex technical developments into clear, actionable insights for developers, founders, and technology professionals. He has reported on breakthroughs from Anthropic, OpenAI, Google DeepMind, and NVIDIA, as well as critical cybersecurity incidents and emerging robotics applications. Halil believes that understanding AI is no longer optional — it's essential for anyone working in or around technology. At AI Post Daily, he applies rigorous editorial standards to ensure every story is accurate, sourced, and genuinely useful to readers.

About AI Post Daily

Independent coverage of artificial intelligence, machine learning, cybersecurity, and the technology shaping our future.

Contact: Get in touch

We use cookies to personalize content and ads, and to analyze traffic. By using this site, you agree to our Privacy Policy.