TL;DR: A Virginia company called IRIS C2 has been publicly recruiting vulnerability researchers and pitching phone-hacking services to the US government. The startup is registered federally as Calvexa Group LLC and operates from an Arlington address tied to lobbyist Jack Burkman. The two people running it, Burkman and his longtime associate Jacob Wohl, both have felony convictions for telecommunications fraud tied to the 2020 voter-suppression robocall scheme that drew a $5,134,500 Federal Communications Commission fine, the largest the FCC has ever imposed under the Telephone Consumer Protection Act. Independent reporting puts a separate $300,000 retainer in their hands, paid by a Canadian crypto fugitive wanted in three countries for alleged exploits against KyberSwap and Indexed Finance, to lobby Washington for a presidential pardon [1][2][3][4].
What IRIS C2 Actually Sells
IRIS C2 runs a public exploit-acquisition marketplace on its own domain. The "Exploit Acquisition" page spells out target tiers and dollar ranges in graphic detail. Payouts run from $10,000 to $7 million depending on the platform and the type of chain. The high end, $5 million to $7 million, is reserved for a zero-click, full remote-exploit chain against iOS. Android zero-click chains pay $3 million to $5 million. One-click variants and persistence modules pay less, all the way down to single primitives with usable info leaks [2].
The site's vendor pitch is unusually direct for this corner of the security market. Submissions require exclusivity and current-version targets only. DoS-only exploits and previously disclosed bugs are rejected on the form. The page notes that the entire program is "subject to U.S. Export Administration Regulations (EAR) and ITAR," a hint that the buyers being courted include foreign governments as well as US agencies [2].
Reporting by Brian Krebs at KrebsOnSecurity, citing federal-contractor registry data and its own interview with Wohl, identifies Calvexa Group LLC as the corporate parent and an Arlington, Virginia mailing address tied to Burkman as the firm's operating base. Wohl told Krebs the company originally launched as a penetration testing shop before pivoting to selling phone-hacking services to the government. Wohl also claimed IRIS C2 holds active federal contracts, but Krebs was unable to surface any direct awards on the public record [1].
The Operators Have a Long Paper Trail
Burkman and Wohl have spent the last decade moving from political dirty-tricks schemes into federal fraud territory and out the other side. The August 2020 robocall campaign the pair is best known for placed roughly 85,000 calls into battleground states, including about 12,000 calls in Detroit, telling Black voters that mail-in ballots would expose them to warrant checks, debt collection, and forced vaccination. A federal grand jury in Cleveland indicted them in October 2020 on multiple felony counts [3][4].
On October 24, 2022, both men pleaded guilty in Cuyahoga County, Ohio to a single felony count of telecommunications fraud. Fourteen related counts were dropped as part of the deal. They were sentenced on November 29, 2022 to a $2,500 fine, two years' probation, and 500 hours of voter-registration community service in Washington, D.C. Burkman separately consented to disbarment by the D.C. Court of Appeals [3][4].
The criminal fines kept coming. On June 6, 2023, the FCC formally imposed a $5,134,500 civil penalty on the pair for the same robocall scheme, the largest fine the agency has ever sought under the Telephone Consumer Protection Act. The penalty had been proposed in August 2021. In March 2023, Judge Victor Marrero of the Southern District of New York ruled in a civil case brought by the New York Attorney General that Wohl and Burkman had violated the Voting Rights Act, the Civil Rights Act of 1957, and the Ku Klux Klan Act by targeting Black neighborhoods with the 2020 calls. The pair agreed on April 9, 2024 to a $1,000,000 settlement in that case, and as of May 2020 had not paid the restitution and penalties a state regulator had ordered in earlier securities cases [3][4].
Wohl's securities record predates the robocalls. The Arizona Corporation Commission charged him in 2017 with 14 counts of securities fraud and ordered him to pay $32,919 in restitution and $5,000 in penalties. A separate California case led to four felony guilty pleas and a 2024 two-year-probation sentence. The National Futures Association had already banned him for life in March 2017 [4].
The same pair previously ran LobbyMatic, an AI lobbying startup that Politico reported used pseudonyms inside the firm: Wohl operated as "Jay Klein" and Burkman as "Bill Sanders." Several LobbyMatic employees resigned after learning who was actually behind the operation [4].
The Same Pair Is Also Selling Access to a Presidential Pardon
The IRIS C2 story lands at the same time as a second Wohl-Burkman venture. Reporting from Molly White's Citation Needed newsletter, citing a February 2026 filing under the Foreign Agents Registration Act, says Burkman and Wohl were paid a $300,000 retainer by Andean Medjedovic, a Canadian wanted in the United States, Canada, and the Netherlands for alleged exploits against KyberSwap and Indexed Finance. The alleged losses run to a combined $65 million [5].
The White reporting says Burkman and Wohl were retained to pursue "a presidential pardon to avert a miscarriage of justice," and that they had at that point made "preliminary introductions" with staff for Reps. Byron Donalds (R-FL) and Jason Smith (R-MO). Donalds sits on the House Financial Services Committee and its Digital Assets Subcommittee; Smith chairs the House Ways and Means Committee. A separate lobbying disclosure indicates Burkman and Wohl's firm, J.M. Burkman and Associates, also worked on the unsuccessful pardon petition of Boosie Badazz and the later-successful petition of Joseph Schwartz, who paid them $960,000 before switching to a different lobbyist and securing a pardon under President Trump [5].
Putting the two ventures side by side, a company that pitches phone-hacking capabilities to the US government is being run by two men who are simultaneously accepting foreign-national money to lobby the US government for executive clemency in a transnational crypto-fraud case. There is no evidence the two streams of work are connected. The pattern across both is identical: a willingness to step into rooms where most operators would not show their face [1][5].
What to Watch
Any direct award on the public record. Wohl says IRIS C2 holds federal contracts and is not at liberty to discuss them. Until something on USAspending or a prime-contractor disclosure moves, the gap between the pitch and the paperwork is the story [1].
Submission volume. The IRIS C2 site publishes a four-step submission process and a 72-hour response window. If researchers begin delivering chains, the question of who buys the resulting capabilities becomes a question the public ought to be able to answer [2].
The Medjedovic pardon track. If the lobbying campaign produces anything beyond "preliminary introductions," the pairing of zero-day-shop and foreign-client retainer will draw scrutiny that makes the next exploit-shop pitch harder, not easier [5].
Sources
- Brian Krebs, KrebsOnSecurity: "Felons, Fraudsters Flog Offensive Cybersecurity Startup," July 8, 2026. https://krebsonsecurity.com/2026/07/felons-fraudsters-flog-offensive-cybersecurity-startup/
- IRIS C2: Exploit Acquisition page (public payout schedule, irisc2.com). https://irisc2.com/exploit-acquisition
- Wikipedia, "Jack Burkman." https://en.wikipedia.org/wiki/Jack_Burkman
- Wikipedia, "Jacob Wohl." https://en.wikipedia.org/wiki/Jacob_Wohl
- Molly White, Citation Needed, Issue 103: "The President's Council of Podcasters," March 31, 2026. https://www.citationneeded.news/issue-103/