defense · KrebsOnSecurity
According to KrebsOnSecurity, a cybersecurity startup called IRIS C2, claiming to operate from McLean, Virginia, publicly advertises million-dollar payouts for zero-day vulnerabilities and exploit code across major platforms. The company's website states it acquires "zero-day exploits, individual primitives, partial chains, and full capabilities" with payouts ranging from $10,000 to $7 million. Investigation reveals the startup is operated by Calvexa Group LLC, whose Arlington address is associated with Jack Burkman, a 60-year-old lobbyist, and Jacob Wohl, age 28. The report documents both individuals' criminal histories, including convictions related to robocall schemes, securities fraud, and civil rights violations, along with significant fines from the FCC and settlements in civil cases.
For Omniware's buyers—particularly defense contractors subject to CMMC and those handling NIST 800-171 compliance—this case underscores the critical importance of vetting counterparties in the offensive security supply chain. Organizations procuring vulnerability intelligence or exploit data should conduct thorough background checks on vendors and verify their federal contractor status through official portals. SaaS providers and any organization integrating third-party security services should scrutinize operator credentials and legal standing. The brazen public marketing approach described here contrasts sharply with legitimate government contractor practices, signaling potential regulatory or legal risk. An Omniware engagement can scope vendor due diligence and supply-chain risk controls in detail.
Source: KrebsOnSecurity - https://krebsonsecurity.com/2026/07/felons-fraudsters-flog-offensive-cybersecurity-startup/
Source: KrebsOnSecurity
All briefings