The cybersecurity community is confronting an unusual development with the emergence of a startup offering substantial payouts for zero-day vulnerabilities, operated by individuals with extensive histories of fraud and criminal activities. This situation raises significant concerns about the ethical implications and potential risks within the offensive security market.
IRIS C2, presenting itself as a Virginia-based cybersecurity company, has been actively marketing itself on social media platforms, promising payments ranging from $10,000 to $7 million for valuable zero-day exploits. The company claims to target "junior engineers with raw talent/extremely high IQ" without requiring formal education or industry experience. Their public-facing operations suggest an aggressive approach to acquiring offensive cybersecurity capabilities.
Investigation reveals that IRIS C2 is operated by Calvexa Group LLC, a business registered to Jack Burkman at his Arlington, Virginia address. Burkman, a 60-year-old lobbyist, and his associate Jacob Wohl, 28, have well-documented histories of