The Dark Risks of Trusting Shadowy Figures With Zero-Day Exploits
A look inside IRIS C2, a mysterious cyber firm offering multimillion-dollar bounties but secretly run by notorious political schemers.
The trade of zero-day exploits—the unpatched software flaws that grant silent access to secure networks—occupies a murky gray market. Traditionally, this marketplace relies on an unspoken pact of absolute trust and discretion, as a single leak can neutralize a multi-million-dollar asset. Yet, the sudden emergence of highly visible entities promising massive financial rewards threatens to upend this delicate ecosystem. When the actors behind these fortunes have histories stained by deception, the dangerous collision between national security and opportunism stands fully exposed.
Historically, the offensive security sector has operated quietly, with low-profile brokers facilitating transactions between elite researchers and government agencies. This secretive status quo exists because these technologies are often classified as dual-use munitions. However, as demand for mobile hacking capabilities has exploded, the allure of rapid payouts has increasingly attracted a bizarre mixture of legitimate academics, self-taught hackers, and opportunistic charlatans looking to cash in on defense budgets, creating a volatile environment where separating genuine capability from elaborate theater is nearly impossible.
At the center of this clash is IRIS C2, an entity operating the X account @C2IRIS, which has gained over 4,000 followers since January 2025. Claiming to be in McLean, Va., the startup’s website, irisc2[.]com, offers payouts from $10,000 to $7 million for zero-days. The domain is run by Calvexa Group LLC, based at the Arlington, Va. address of 60-year-old Jack Burkman, founder of Burkman & Associates. Burkman’s 28-year-old partner, Jacob Wohl, manages operations. The pair have a long history of political fabrications, voter suppression robocalls leading to a Cleveland indictment on 15 felony counts (resulting in probation in late 2025), a 2022 Ohio telecommunications fraud conviction, a March 2023 New York civil settlement of $1 million, and a June 2023 FCC fine of $5.1 million. Wohl claims IRIS C2 has about 40 employees and pitches hacking services to government clients. "Our business model is this," reads a pinned post on top of the IRIS C2 account on X. "Attract the very best vulnerability researchers and exploit developers in the world to join our company. This mostly revolves around junior engineers with raw talent/extremely high IQ. We don’t care if they have a college degree/industry experience." Wohl, boasting of his self-taught abilities, said, "I know more about tech than anyone," Wohl bragged. "My background has always been extremely technical, and I’ve always been deeply into tech. People know me as someone who is able to create spectacularly exquisite capabilities that would make your head spin." Explaining how they refine raw security flaws, Wohl detailed, "Let’s say someone finds a flaw in a media decoder on a phone," Wohl said. "A lot of times what we receive is an exploit primitive, where the idea is there but the [execution] needs work. You need that exploit to be stable and reliable, and that’s what we do."
By the numbers, Wohl's history of financial schemes is long. In 2017, at age 17, after appearing on Fox News in 2015, the Arizona Corporation Commission charged him with 14 counts of securities fraud, ordering $35,000 in restitution. In 2019, he pleaded guilty to four felony counts in California, receiving two years of probation. In September 2024, they operated LobbyMatic under the pseudonyms "Jay Klein" and "Bill Sanders." On March 31, journalist Molly White reported they received a $300,000 retainer from an accused Canadian crypto hacker wanted for allegedly stealing $65 million from KyberSwap and Indexed Finance. This security saga was detailed on July 8, 2026, and updated on July 9, 9:44 a.m. ET.
Why it matters: The insertion of documented fraudsters into the offensive cyber pipeline introduces severe systemic risks. If independent researchers sell volatile zero-days to brokers operating under pseudonyms, these tools could easily end up in the hands of extortionists or foreign adversaries. For enterprises and consumers, this unchecked market means critical security flaws in everyday software are hoarded for profit rather than patched, leaving global digital infrastructure permanently exposed to unpredictable, weaponized threats.