Krebs traces zero-day broker IRIS C2 to Wohl and Burkman
Krebs ties IRIS C2, an offensive-security startup pitching zero-day acquisition, to Jacob Wohl and Jack Burkman — both convicted of felony fraud.
Brian Krebs reported today that IRIS C2 — a Virginia-registered startup pitching itself as a broker for zero-day exploits, phone-hacking services, and “full capabilities across all major platforms” — is run by Jacob Wohl and Jack Burkman, two men whose public records at this point run to several pages and consist largely of felony fraud convictions.
You can read that sentence twice. It doesn’t get less strange the second time.
The specifics belong to Krebs’s writeup and to the court records he cites, but the shape of it is this. Wohl, 28, has a run of convictions and settlements over the last decade: a 2019 California guilty plea to four felony counts of selling unregistered securities, a 2022 Ohio guilty plea to a telecommunications-fraud felony over an election-interference robocall campaign, a $1 million New York civil judgment in 2023, a Cleveland felony indictment last year on 15 further counts tied to more robocall schemes. Burkman, 60, is his co-defendant on much of that: joint Ohio telecom-fraud plea, joint $1 million civil settlement, joint $5.1 million FCC fine. Neither has, as far as the public record shows, any professional history in exploit development, vulnerability research, or offensive-security operations before this year.
The company they are now fronting — IRIS C2, parent Calvexa Group LLC, incorporated in Arlington and marketing from a McLean, Virginia address — claims to acquire “zero-day exploits, individual primitives, partial chains, and full capabilities across all major platforms,” with payouts stated as ranging from ten thousand to seven million dollars. Wohl told Krebs the company has around forty employees, provides phone-hacking services to government customers, and holds federal contracts he declined to specify.
Why this one is here
We do not, generally, cover which specific offensive-security vendor is standing up which new shell company this quarter. There are dozens of firms in this market, they turn over frequently, and the pattern of “founded by [ex-intelligence-community, or ex-something-adjacent], selling capability to [some allied and some less-allied governments]” is the industry’s normal condition, not a story on its own. Krebs’s piece is here because IRIS C2 fails even the industry’s own baseline gate — the “we can vouch for our founders” step that offensive-security vendors have, publicly and privately, held out as their floor for years.
The industry’s polite line on itself, from NSO Group through the smaller cluster of Israeli, European, and American vendors that came up after them, has always been some version of: we sell serious tools to serious buyers, our people are vetted, and the excesses you read about are the fault of specific customers, not the market as a whole. That claim was never fully credible — the European Parliament’s PEGA committee, Citizen Lab, and Amnesty’s Security Lab spent most of the last decade documenting the excesses — but it was the claim, and the industry policed the founder question a little more carefully than it policed the customer question. The founders were, if not clean, at least professionally legible. They had CVs.
IRIS C2 does not present anything of the sort. What Krebs’s public-records work turns up is two men whose only relevant recent professional experience is running the fraud schemes they were convicted for, now claiming to broker seven-figure zero-day acquisitions on behalf of federal customers who cannot be named. The gatekeepers — the buyers, the payment rails, the conference organizers who let firms like this table at industry events — should have caught that. Whether they did, whether IRIS C2 has real contracts or is running a different kind of scheme entirely, and who is actually on the other end of the “government customers” claim, are the questions that follow. Krebs asks them and does not fully answer them. Neither will we, until there is more.
What to do with this, if you do anything
For most 0daynews readers this is not, again, an operational item. You will not be targeted by IRIS C2’s putative capability set because it is not clear IRIS C2 has one. What matters is the second-order signal.
If you are a vulnerability researcher weighing where to sell — a question the market pushes harder every year — the appearance of firms like this in the buyer pool is a datapoint. “Who is the actual end user of the exploit I am about to hand over” has always been the industry’s least-answered question. It gets worse, not better, when the middle layer includes companies whose founders have never held a job outside the fraud economy. The vendors that ask you to trust their vetting have to be doing vetting themselves. Read Krebs’s piece, and then read the counterparty’s website with it in mind.
If you are on the buying side of this market — and some of our readers are — the same warning applies from the other direction. Federal procurement has an interest in not being the “government customer” that firms like this quietly name to counterparties. The list of shops actually selling into this space is short enough that a public-records check is not a heavy lift. That it apparently was not done here is the story.
The exploit market has always been the part of security that policed itself least. It keeps supplying evidence for why that should change.
Found this useful? Share it.

