AI Security AI安全 2d ago Updated 2d ago 更新于 2天前 50

Felons, Fraudsters Flog Offensive Cybersecurity Startup 罪犯和骗子兜售攻击性网络安全初创公司

IRIS C2, a cybersecurity startup offering up to $7 million for zero-day exploits, is operated by Calvexa Group LLC, a shell company linked to convicted felons Jacob Wohl and Jack Burkman. Wohl and Burkman have extensive histories of legal troubles, including convictions for telecommunications fraud, securities fraud, and orchestrating disinformation campaigns against public figures. Despite lacking formal technical credentials, Wohl claims deep expertise and asserts the company is shifting focus IRIS C2是一家高调招募零日漏洞研究者的网络安全初创公司,提供高达700万美元的漏洞收购赏金。 该公司由有犯罪记录的极右翼阴谋论者Jacob Wohl和Jack Burkman运营,其背景涉及虚假情报公司和选举干扰。 尽管声称拥有联邦政府合同,但公开记录显示其并未承接直接政府项目,且创始人缺乏正规网络安全教育。 该案例揭示了漏洞黑市与灰色政治势力交织的风险,以及传统尽职调查在新兴AI和网络安全领域的局限性。

72
Hot 热度
78
Quality 质量
65
Impact 影响力

Analysis 深度分析

TL;DR

  • IRIS C2, a cybersecurity startup offering up to $7 million for zero-day exploits, is operated by Calvexa Group LLC, a shell company linked to convicted felons Jacob Wohl and Jack Burkman.
  • Wohl and Burkman have extensive histories of legal troubles, including convictions for telecommunications fraud, securities fraud, and orchestrating disinformation campaigns against public figures.
  • Despite lacking formal technical credentials, Wohl claims deep expertise and asserts the company is shifting focus toward selling phone-hacking services to the US government.
  • The venture operates with brazen transparency regarding its recruitment and payouts, contrasting sharply with the typically discreet nature of legitimate government cybersecurity contracting.

Why It Matters

This case highlights significant risks in the unregulated gray market for offensive cybersecurity tools, where individuals with criminal backgrounds can attempt to legitimize themselves through high-profile acquisitions of sensitive vulnerabilities. It underscores the vulnerability of government procurement channels to bad actors seeking to exploit national security interests for personal gain or political leverage. For the industry, it serves as a cautionary tale regarding due diligence in vendor selection and the potential for disinformation tactics to infiltrate critical infrastructure sectors.

Technical Details

  • Business Model: IRIS C2 aims to recruit "junior engineers with raw talent" regardless of formal education, offering payouts ranging from $10,000 to $7 million for zero-day exploits, primitives, and full capabilities across major platforms.
  • Corporate Structure: The entity is registered as Calvexa Group LLC in Virginia, with web properties (irisc2.com, calvexagroup.com) forwarding to each other. It appears on g2exchange.com as a federal contractor but shows no active direct government contracts.
  • Operational History: Originally positioned as a penetration testing firm, the company pivoted to selling phone-hacking services. Founder Jacob Wohl claims self-taught technical proficiency despite prior convictions for non-technical crimes.
  • Recruitment Strategy: Uses aggressive social media presence on X/Twitter (@C2IRIS) and LinkedIn to attract applicants, emphasizing high IQ and raw talent over traditional industry experience or degrees.

Industry Insight

  • Vendor Vetting Urgency: Organizations engaging in government contracting or handling sensitive data must implement rigorous background checks on vendors, particularly those claiming ties to defense or intelligence sectors without verifiable track records.
  • Regulatory Gaps: The ease with which individuals with felony records can establish entities capable of soliciting high-value cyber exploits suggests a need for stricter regulatory oversight in the commercial vulnerability market.
  • Reputation Management: The cybersecurity community should remain skeptical of entities that prioritize sensationalist recruitment tactics over transparent technical credentials, as these may be fronts for malicious activities or disinformation campaigns.

TL;DR

  • IRIS C2是一家高调招募零日漏洞研究者的网络安全初创公司,提供高达700万美元的漏洞收购赏金。
  • 该公司由有犯罪记录的极右翼阴谋论者Jacob Wohl和Jack Burkman运营,其背景涉及虚假情报公司和选举干扰。
  • 尽管声称拥有联邦政府合同,但公开记录显示其并未承接直接政府项目,且创始人缺乏正规网络安全教育。
  • 该案例揭示了漏洞黑市与灰色政治势力交织的风险,以及传统尽职调查在新兴AI和网络安全领域的局限性。

为什么值得看

这篇文章揭示了网络安全行业中一个极具争议的现象:具有严重法律和政治污点的个人如何渗透进敏感的漏洞交易市场。对于AI和安全从业者而言,理解此类非传统、高风险实体的运作模式有助于完善供应商尽职调查流程,并警惕恶意行为者利用高价值漏洞市场进行非法活动或政治操纵。

技术解析

  • 商业模式与激励:IRIS C2通过X平台和高额悬赏(1万至7000万美元)吸引全球顶尖漏洞研究人员,特别青睐无学历但高智商的年轻工程师,旨在获取零日漏洞、部分链式攻击及全平台能力。
  • 实体关联与身份:网站irisc2.com关联到弗吉尼亚州的Calvexa Group LLC,注册地址为知名游说公司Burkman & Associates的所在地,指向Jacob Wohl和Jack Burkman。
  • 创始人背景:Jacob Wohl自称自学成才,无CS学位,但有证券欺诈和电信欺诈前科;Jack Burkman曾参与多项针对公众人物的虚假指控。两人曾因操纵选举电话被定罪并处以巨额罚款。
  • 政府合同疑云:虽然Wohl声称从事联邦政府合同业务,但G2Exchange等政府招标门户未显示Calvexa Group有任何实际履行的政府合同,存在虚假宣传嫌疑。

行业启示

  • 强化尽职调查:企业在采购漏洞服务或与第三方安全公司合作时,必须超越表面资质,深入审查实际控制人的法律记录、政治倾向及过往行为,防范声誉和法律风险。
  • 监管漏洞市场透明度:当前零日漏洞交易市场缺乏统一监管,易被滥用。行业需推动更透明的交易标准和合规框架,防止漏洞被用于非法监控或政治打压。
  • 警惕“天才”叙事陷阱:IRIS C2强调“不看学历只看天赋”,这种叙事可能被用来掩盖缺乏专业伦理培训和合规管理的实质。企业应重视团队的专业背景审查,而非仅关注技术能力。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 AI AI Ethics 伦理