Felons Run Offensive Cybersecurity Startup IRIS C2
A cybersecurity startup named IRIS C2, which has been actively seeking zero-day security vulnerabilities in popular software with offers of up to $7 million, is allegedly run by individuals with criminal convictions and far-right conspiracy beliefs. The X/Twitter account IRIS C2 (@C2IRIS), created in January 2025, has amassed over 4,000 followers by frequently posting about security vulnerabilities, artificial intelligence, and software exploits. IRIS C2 claims to be a company based in McLean, Virginia, specializing in offensive cybersecurity capabilities.
The IRIS C2 website actively solicits talent by advertising potential payouts of millions of dollars for exploits. A pinned post on the company's X account states its business model involves attracting top vulnerability researchers and exploit developers, particularly junior engineers with high intelligence, regardless of formal education or industry experience. The company's website, irisc2[.]com, lists numerous open positions, and a recent LinkedIn post indicated a high volume of applications.
The company's stated mission involves acquiring "zero-day exploits, individual primitives, partial chains, and full capabilities across all major platforms," with payouts ranging from $10,000 to $7 million based on the exploit's target, reliability, and operational value. According to the government contracting portal g2exchange.com, the domain irisc2[.]com is operated by a Virginia-based entity named Calvexa Group LLC. The contact link on the Calvexa Group website, calvexagroup[.]com, redirects to irisc2[.]com.
While G2Exchange indicates that Calvexa Group LLC is registered as a federal contractor, it does not appear to have any active direct government contracts. The individuals behind IRIS C2 and Calvexa Group LLC have a history of operating ventures under assumed names, including fake intelligence companies and a defunct AI-based lobbying platform. This background raises significant concerns regarding the legitimacy and intentions of the cybersecurity firm.
Original source — read the full reporting at the publisher:
Read on Krebs on Security