Convicted fraudsters are running a US startup offering $7 million for software exploits

IRIS C2 says it pays up to $7 million for zero-day exploits. Its owners are Jacob Wohl and Jack Burkman, best known for felony robocall convictions and a string of political dirty-tricks stunts.

ThreatVectr Newsdesk· 4 min read
A shadowed office desk in a nondescript suburban business park at dusk, photoreal news-editorial style, full-frame edge-to-edge composition, 16:9
Share

Key points

  • IRIS C2, a Virginia startup, publicly offers $10,000 to $7 million per exploit to buy unknown flaws in popular software.
  • The company is operated by Calvexa Group LLC, whose principals are Jacob Wohl, 28, and Jack Burkman, 60.
  • Wohl and Burkman pleaded guilty to telecommunications fraud in Ohio in 2022 and were fined $5.1 million by the FCC in June 2023 over voter-suppression robocalls.
  • Wohl told KrebsOnSecurity that IRIS C2 has around 40 staff and now sells phone-hacking services to the US government, though he would not name any contract.
  • In 2024, the pair were caught running a lobbying startup, LobbyMatic, under the fake names Jay Klein and Bill Sanders.

A US startup that says it will pay up to $7 million for hacking tools is run by two convicted felons with a long record of political hoaxes and fraud.

The company is called IRIS C2. It says it is based in McLean, Virginia, and it has been busy on X since January 2025, where it has picked up more than 4,000 followers.

On its website, IRIS C2 offers to buy what the industry calls zero-days: previously unknown flaws in software that let attackers break into phones, laptops and servers before the maker can issue a fix. Payouts, the site says, run from $10,000 to $7 million, depending on the target.

That kind of buying is not new. Governments and their contractors quietly pay hackers for these flaws all the time. What is unusual is doing it this loudly.

Who actually runs IRIS C2?

Business records point to a Virginia firm called Calvexa Group LLC, and Calvexa's registered address is a property occupied by Jack Burkman, a 60-year-old lobbyist. When KrebsOnSecurity approached Burkman, he passed questions to his longtime associate Jacob Wohl, who is 28.

The pair are not obscure figures.

In 2019, they held press conferences accusing then-FBI director Robert Mueller of sexual assault. The claims were fabricated. They ran similar smears against Pete Buttigieg, Senator Elizabeth Warren and Kamala Harris.

After the 2020 election, they were indicted in Cleveland on 15 felony counts over robocalls aimed at suppressing Black voters in Detroit. In 2022, both pleaded guilty to a single felony count of telecommunications fraud in Ohio. They were sentenced to a fine, probation and community service.

In March 2023, a New York judge ruled they had violated federal and state civil rights laws, and they agreed to a $1 million settlement. In June 2023, the Federal Communications Commission fined them $5.1 million, the largest penalty it had ever sought under the Telephone Consumer Protection Act.

Wohl has his own separate history. In 2017, Arizona regulators charged him with 14 counts of securities fraud. In 2019, he pleaded guilty in California to four felony counts of selling unregistered securities.

Should the public be worried?

Yes, but not in the way a ransomware story worries you. The concern here is who ends up holding powerful hacking tools, and how those tools reach government buyers.

Wohl told KrebsOnSecurity that IRIS C2 started as a penetration testing shop, meaning a firm hired to break into clients' systems to find weak spots, and has shifted to selling phone-hacking services to the US government. He repeatedly referenced federal contracts, but declined to name any. Public contracting records show Calvexa is registered as a federal contractor but does not appear to hold any direct government contracts.

Wohl said he has no formal training in computer science. "I know more about tech than anyone," he told the outlet.

He claims IRIS C2 has around 40 employees, though none are allowed to list the job on LinkedIn. He also said, in May, that his own girlfriend did not know what he did for a living.

There is precedent for the secrecy. In September 2024, Politico reported that Wohl and Burkman had been running a now-defunct AI lobbying startup called LobbyMatic under the aliases "Jay Klein" and "Bill Sanders." Two employees resigned once they figured out who their bosses really were.

For ordinary readers, the practical takeaway is narrow. If you are a security researcher approached by IRIS C2 or Calvexa Group at a conference, know who you are actually dealing with before you hand over your work.

© 2026 Threat Vectr