What you’ll learn in this article…
- Convicted felons ran IRIS C2, offering up to $7 million for exploits.
- Job scams cost Americans $501 million in 2024 alone.
- Always verify startup founders, funding, and legal registration before applying.
In July 2026, KrebsOnSecurity reported that IRIS C2, a Virginia-based cybersecurity startup offering zero-day exploit payouts up to $7 million, is run by two convicted felons with histories of telecommunications fraud, robocall scams, and unregistered securities violations. The company's founders, Jack Burkman and Jacob Wohl, previously operated fake intelligence firms and face millions in fines and settlements from federal and state enforcement actions.
Cybersecurity's chronic talent shortage and projected 3.5 million unfilled positions worldwide create ideal conditions for fraudulent startups to target career changers and students. Scam operations exploit the field's technical complexity, unfamiliar jargon, and high earning potential to lure applicants into schemes that steal money, harvest personal data, or damage professional reputations. In 2024 alone, job scams cost Americans $501 million, and cybersecurity postings now represent a growing share of that fraud.
Understanding why cybersecurity is important helps you recognize when a company's claimed mission doesn't match its actual practices. This guide walks through the IRIS C2 case as a real-world example, identifies red flags in job postings and interviews, provides a step-by-step verification checklist for company legitimacy, and benchmarks actual cybersecurity salaries against common scam offers.
Case Study: How Convicted Felons Launched a Cybersecurity Startup
The cybersecurity industry's rapid growth has created openings for bad actors to exploit job seekers and clients alike, and few cases illustrate this more starkly than IRIS C2. This McLean, Virginia company offers payouts ranging from $10,000 to $7 million for zero-day exploits, positioning itself as a serious player in the vulnerability acquisition market. The problem? It is run by two convicted felons with a documented history of fraud, deception, and criminal activity spanning multiple states.
Who Is Behind IRIS C2
IRIS C2 is operated by Jack Burkman, age 60, and Jacob Wohl, age 28. Both men are convicted fraudsters whose legal troubles paint a troubling picture for anyone considering employment or business dealings with the company.1
Their criminal record includes:
- 2019 securities fraud: Wohl pleaded guilty to four felony counts of selling unregistered securities in California.
- 2022 telecommunications fraud: Both Wohl and Burkman pleaded guilty to telecommunications fraud charges in Ohio.
- 2023 FCC penalty: The Federal Communications Commission imposed a $5.1 million fine on the pair for illegal robocall campaigns.
- 2023 civil rights settlement: Wohl and Burkman agreed to pay a $1 million settlement in a New York civil rights case.
This is not a case of youthful indiscretion or a single mistake. The pattern of fraud, false claims, and legal violations spans years and multiple jurisdictions. According to reporting by Krebs on Security, the duo has a history of creating fake intelligence companies and spreading false claims, making their entry into cybersecurity particularly concerning.1
The Legitimacy Laundering Playbook
IRIS C2 did not start as a zero-day broker. The company originally operated as a penetration testing firm before pivoting to selling phone-hacking services to the government. This pivot follows a classic legitimacy laundering pattern: start with a service that sounds conventional and defensible, build a client base or reputation, then shift toward higher-risk activities while trading on the credibility of earlier work.
The company claims to have landed unspecified federal contracts and reportedly employs around 40 people. Employees were instructed they could not list IRIS C2 on LinkedIn for operational security reasons. While some legitimate security firms do restrict public employee disclosures, this policy also conveniently shields the company from external scrutiny by researchers, journalists, and potential applicants doing their homework. For anyone building a cybersecurity career, understanding which employers maintain genuine operational norms versus which use secrecy as cover is a foundational skill.
Investigable Breadcrumbs
Despite attempts at secrecy, IRIS C2 left trails that a determined job seeker could follow. The company's X account, @C2IRIS, gained more than 4,000 followers since January 2025, giving it a veneer of social proof. But follower counts are easily manufactured and should never substitute for due diligence.2
The corporate structure also reveals connections. IRIS C2's website is registered to Calvexa Group LLC, incorporated in Arlington, Virginia at an address associated with Jack Burkman. A simple WHOIS lookup or state corporation search would surface this connection, linking the company directly to a convicted fraudster.
What This Means for Job Seekers
If a company offering $10,000 to $7 million for exploit submissions is run by convicted felons with a documented history of fraud, what does that tell you about employers you do not investigate? For students and career changers entering cybersecurity, this case underscores a critical lesson: the promise of high payouts or exciting work does not override the need for basic due diligence.
Legitimate exploit acquisition firms and security startups operate with verifiable leadership, transparent corporate structures, and clean legal histories. The ethical grounding you develop through a solid cybersecurity degree program will sharpen your instincts for spotting exactly these kinds of red flags. When you skip the background research, you risk associating your name and career with criminal enterprises, potentially exposing yourself to legal liability, or simply wasting months on a job that evaporates when investigators come knocking.
The full details of this case, including the operators' extensive legal history, are documented by Krebs on Security in the article Felons, Fraudsters Flog Offensive Cybersecurity Startup. For anyone evaluating a cybersecurity employer, this story should serve as required reading before signing an offer letter.
How Big Is the Cybersecurity Job Scam Problem?
A cybersecurity job scam is a fraudulent employment offer, fake company listing, or bogus contractor gig designed to steal your money, your personal data, or your professional credibility. These scams range from phishing lures posted on legitimate job boards to entire shell companies with polished websites, LinkedIn presences, and fake funding announcements. The exact size of the problem is hard to pin down because reporting is fragmented across agencies, but the tools to gauge it are public and worth bookmarking.
Where to Find Official Loss Statistics
Two federal sources publish the numbers that most journalists and researchers cite. The FTC's Consumer Sentinel Network Data Book is released annually and breaks down consumer fraud reports by category, including business and job opportunity scams, with state-level detail. The FBI's Internet Crime Complaint Center (IC3) publishes an Annual Internet Crime Report that tracks employment fraud losses, victim demographics, and year-over-year trends. Both are free PDFs on ftc.gov and ic3.gov respectively, and both include sector context that helps you see where tech-related scams fall in the broader landscape.
Industry-Specific Signals
For cybersecurity-specific patterns, check the resources maintained by professional associations such as ISC2, CompTIA, and SANS. These groups periodically publish workforce studies and member advisories that flag emerging scam tactics targeting security professionals. CyberSeek, a job market data project supported by CompTIA and NIST, offers a heat map of legitimate cybersecurity openings by region and role, which is useful for sanity-checking whether a suspicious offer matches real market conditions in your area. Understanding what cybersecurity is and why it matters also helps you recognize when a job posting's technical claims don't add up.
Cross-Check Against Real Market Data
The BLS.gov Occupational Outlook Handbook gives you baseline projections for information security analyst demand, typical wages, and common qualifications. If a startup offers a compensation package that dwarfs BLS medians for your experience level, that gap alone is worth investigating. Earning recognized cybersecurity certifications gives you an independent benchmark for what skills are genuinely valued, making it easier to spot roles that promise outsized pay for vague responsibilities.
Stay Current in Real Time
Static reports lag reality by months. Set up Google Alerts for phrases like "cybersecurity job scam" and "employment fraud tech," and subscribe to the FTC's Scam Alerts page for near real-time notices. Following IC3 and reputable security journalists on your preferred platform will surface fresh cases faster than waiting for the next annual data book.
Red Flags in Cybersecurity Startup Job Postings
A legitimate cybersecurity job posting and a fraudulent one can look surprisingly similar at first glance, but close reading reveals patterns that separate the real from the risky. Learning to spot these patterns is one of the most valuable skills you can develop as you enter the field, and it costs you nothing but a few extra minutes of scrutiny.
Upfront Fees and Financial Requests
No reputable employer will ask you to pay money before you start working. Yet scam postings routinely slip in requests disguised as standard procedure. Watch for any of these:
- Equipment purchase requirements: You are told to buy a laptop, software licenses, or specialized hardware "that will be reimbursed after your first pay period."
- Background check payments: The posting or recruiter asks you to pay for your own background screening through a specific (often unfamiliar) vendor.
- Mandatory training materials: You are directed to purchase a course, certification voucher, or study kit as a condition of employment.
Legitimate companies cover onboarding costs. If money is flowing from your wallet to a prospective employer before day one, walk away.
Equally alarming is any request for personal financial information, such as your bank account number or Social Security number, before you have received a formal, signed offer letter and completed official onboarding. Scammers harvest this data for identity theft. A real HR department collects sensitive details only after you have accepted an offer and are working through a verified onboarding system.
Compensation That Defies Gravity
Cybersecurity salaries are strong, but they follow recognizable ranges tied to role level, location, and experience. A posting that promises a six-figure salary for an entry-level analyst with no certifications or experience should raise immediate questions. Other warning signs include guaranteed signing bonuses before you have even interviewed, equity grants described with no mention of a vesting schedule or cap table, and phrases like "unlimited earning potential" without concrete details.
If the pay sounds too good for the title, compare it against cybersecurity salary data from the Bureau of Labor Statistics or established compensation surveys. A realistic offer for a junior security analyst in 2026 looks very different from a "guaranteed $180,000 base plus bonus" dangled in a vague LinkedIn message.
Structural Clues That Something Is Off
Beyond the content of the posting itself, pay attention to where it appears and how the company presents itself.
- Obscure job boards only: Legitimate startups post on their own careers page, LinkedIn, and well-known platforms. If you can only find the listing on a niche board you have never heard of, investigate further.
- No matching LinkedIn presence: Search for the company on LinkedIn. A real startup will have employee profiles, company updates, and a history that predates the job listing. A hollow page with a handful of followers and no employee activity is a red flag.
- Generic email domains: Recruiters contacting you from Gmail, Yahoo, or Outlook addresses rather than a corporate domain are a classic indicator of fraud. Any company serious enough to hire should have its own email infrastructure.
- Buzzword-heavy, detail-light descriptions: Scam postings love phrases like "cutting-edge threat intelligence" and "next-gen cyber defense" while never naming actual tools, frameworks, or methodologies. A genuine posting will reference specific platforms (SIEM tools, cloud environments, scripting languages) and describe day-to-day responsibilities.
Cross-Reference Every Posting
One of the simplest verification steps is also the most overlooked. Visit the company's own website and look for a careers or jobs page. If the role you found on a job board does not appear on the company's site, contact the company directly through contact information listed on the official site, not through the job posting, to confirm the opening exists. Scammers frequently impersonate real companies, and a quick check can save you from handing over personal data to a stranger. Choosing employers from best online cybersecurity programs can also help you build a network of vetted industry contacts before you ever start the job hunt.
Building the habit of verifying postings now will serve you throughout your career. The cybersecurity field rewards skepticism, and the hiring process is no exception.
If a cybersecurity startup asks you to pay for equipment, training, certifications, or background checks before your first day, treat it as a near certain scam. Legitimate employers cover all onboarding costs. No reputable company will require new hires to spend their own money just to start a job.
Interview Warning Signs at Questionable Cybersecurity Companies
When a startup interview feels too good to be true, the real tension isn't between accepting and declining; it's between trusting the process and protecting your career. A legitimate cybersecurity company wants to confirm your skills before making an offer, while a scam outfit wants to hook you before you ask the wrong questions.
No Technical Depth
A genuine cybersecurity interview will probe your hands-on knowledge. You should expect questions about tools like Wireshark, Burp Suite, or SIEM platforms, and frameworks such as NIST or MITRE ATT&CK. If the conversation stays entirely at a high level , "Tell us about yourself" or "Why do you want this job?" , and never touches on scenarios like handling an incident or analyzing a packet capture, something is off. Real cybersecurity hiring always tests technical competence, even for entry-level roles. Candidates who have completed online cybersecurity programs will recognize immediately when a technical screen is suspiciously absent.
High-Pressure Tactics
Watch for urgency that feels manufactured. Scam startups often push you to accept immediately, claiming the offer expires in 24 hours or that another candidate is waiting. They may discourage you from consulting a mentor, doing additional research, or even sleeping on the decision. A reputable company respects your need to evaluate the opportunity and will never pressure you into bypassing due diligence.
Requests for Sensitive Information
During or immediately after an interview, be wary of any request for your Social Security number, bank details, or copies of your ID. Legitimate employers handle these through a secure HR onboarding portal after a formal offer letter is signed. If an interviewer asks for this data over a video call or in an email, treat it as a red flag. Never share personal identifiers until you've verified the company's existence and received a written offer.
The Too-Easy Interview
If you're offered a senior role after a 15-minute chat with no technical screening, no reference checks, and no panel interview, alarm bells should ring. Real cybersecurity positions, whether in a startup or an enterprise, require proof of your ability to protect systems and data. A scam company doesn't care about your qualifications; it just needs a warm body to lend credibility to the operation. Graduates of a cybersecurity bootcamp online or a degree program arrive with documented, verifiable skills that legitimate employers specifically look for.
Questions You Should Ask
Turn the tables by asking pointed questions. Inquire about their client base: "Who are your current clients?" A legitimate firm can name sectors or, with NDAs, describe the types of organizations they serve. Ask about compliance: "What frameworks do you follow for data protection or penetration testing?" Also request to speak with current employees. Scam operations will dodge these questions or provide vague, unconvincing answers. Understanding cybersecurity law programs can also sharpen your instincts for spotting when a company's stated practices don't hold up to scrutiny. If they can't answer convincingly, walk away.
Related Articles
How to Verify a Cybersecurity Startup's Legitimacy
Verifying a cybersecurity startup means confirming that the company actually exists as a legal entity, that its founders have credible professional histories, and that its technical claims hold up under scrutiny. This process is not complicated, but it does require you to check multiple sources rather than taking a slick website at face value. The IRIS C2 case, where a company registered under the shell entity Calvexa Group LLC turned out to be run by convicted felons, shows exactly why every step below matters.
Step 1: Confirm the Company Is a Real, Registered Business
Every legitimate U.S. company must register with its state's Secretary of State office. You can search these records for free. LLC University maintains a directory covering all 50 states,1 and sites like SecretaryOfState.com2 and Coordinated Legal3 offer quick links to each state's database. States like Georgia,4 Texas,5 North Carolina,6 Kentucky,7 and South Carolina8 all have searchable online portals where you can look up a company's registration status, filing date, registered agent, and principal address.
When you run the search, pay attention to:
- Filing date: Was the company formed recently, or does it have a track record?
- Registered agent address: Does it match the company's claimed headquarters, or is it a residential address or virtual mailbox?
- Status: Is the entity in good standing, or has it been dissolved, revoked, or administratively closed?
If the company is not registered at all, or if the registration details conflict with what you have been told, that alone is a disqualifying red flag.
Step 2: Search for Financial Filings and Funding History
Publicly traded companies and those that have issued securities must file with the SEC. Search the SEC EDGAR database to see if the company or its principals have any filings, enforcement actions, or registration statements. For private startups, check Crunchbase and PitchBook to verify claimed funding rounds. Legitimate startups that say they have raised venture capital will have public records of those investments. If a company claims millions in funding but has zero trace on these platforms, treat the claim with skepticism.
Step 3: Check the Domain and Online Presence
Use a WHOIS lookup tool (ICANN Lookup or who.is are both free) to check when the company's domain was registered. A domain that is only a few months old but attached to a company making grand claims about government contracts or multimillion-dollar exploit payouts is a warning sign. In the IRIS C2 case, domain registration records led directly to the connection between the startup and a shell company linked to Jack Burkman.
Also verify founder LinkedIn profiles and cross-reference what they claim with news coverage. Genuine cybersecurity professionals have verifiable career histories, conference appearances, published research, or public contributions to the security community. If a founder's profile appeared recently, lacks endorsements from real professionals, or lists credentials you cannot confirm, that deserves further investigation. Understanding what cybersecurity is and why it matters can help you gauge whether a company's claimed expertise is realistic.
Step 4: Verify Cybersecurity-Specific Credibility
Legitimate cybersecurity companies typically hold industry-recognized certifications and participate in public accountability structures. Look for:
- SOC 2 Type II reports: These are third-party audits of a company's security controls. Companies that have completed one will usually mention it on their site, and you can ask to see the report.
- ISO 27001 certification: An international standard for information security management. Certification bodies publish registries you can search.
- CREST membership: CREST is an accreditation body for penetration testing and cybersecurity service providers. Its member directory is public.
- Bug bounty participation: Companies that contribute to platforms like HackerOne or Bugcrowd demonstrate a willingness to operate transparently.
- Conference presentations or published research: Firms that have presented at Black Hat, DEF CON, or RSA Conference have been vetted by program committees. Check archived speaker lists and proceedings.
A company that claims deep technical expertise but has none of these markers is worth questioning.
Step 5: Cross-Check with Free Public Resources
Before you accept a job offer, run a few final checks:
- BBB Business Lookup: Search the Better Business Bureau for complaints, ratings, and accreditation status.
- Glassdoor reviews: Read employee reviews, but watch for patterns of suspiciously uniform five-star reviews posted within a short window. That pattern often signals manufactured credibility.
- LinkedIn employee count: Compare the number of employees on LinkedIn to the team size the company claims. A company that says it has 50 engineers but shows three LinkedIn profiles is misrepresenting itself.
None of these steps requires special tools or insider knowledge. They take about 30 minutes combined, and they can save you from joining a company that puts your career, your reputation, or even your legal standing at risk.
Questions to Ask Yourself
Legitimate Vs. Scam Cybersecurity Startups: Side-By-Side Comparison
Wavestone's 2026 French cybersecurity startup report tracks 120 companies experiencing rapid growth,1 while scam operations are systematically excluded from industry directories and investor databases.2 Understanding the concrete differences between credible firms and fraudulent ones helps job seekers protect their careers and avoid wasting months at a company that will never appear on a resume in a positive light.
Market Presence and Industry Recognition
Legitimate cybersecurity startups maintain visible relationships with established partners, appear in reputable industry rankings, and secure third-party validation through accelerators, venture capital firms, or government contracts. Security Point Break's Q1 2026 Top 30 Cybersecurity Startups list highlights companies with verified funding rounds, named clients, and publicly documented product launches.3 Scam operations, by contrast, operate in isolation, rarely appear in established industry publications, and avoid third-party scrutiny. Their websites often lack verifiable client testimonials, omit team LinkedIn profiles, or list fabricated partnerships with well-known brands that can be disproven with a single phone call.
Technical Depth and Compliance Capability
Credible startups demonstrate strong technical depth through published research, conference presentations, open-source contributions, or documented CVEs (Common Vulnerabilities and Exposures). CyberDB's 2026 Investor's Checklist emphasizes that investors evaluate technical leadership by examining patent filings, academic affiliations, and whether the founding team has prior experience in the cybersecurity field.2 Scam operations exhibit low technical depth, often repurposing generic marketing language without demonstrating proprietary technology or defensible intellectual property. Legitimate firms also maintain strong compliance capability, adhering to SOC 2, ISO 27001, or FedRAMP standards when selling to enterprise or government clients. Candidates interested in this compliance-focused work can explore what compliance analyst roles require before evaluating whether a prospective employer meets those same standards. Fraudulent startups show weak compliance capability, lacking basic security certifications and often operating without proper business licenses or insurance.2
Employer Perception and Career Impact
Employer perception studies from Glassdoor and industry surveys consistently show that hiring managers value experience at recognized cybersecurity firms, even early-stage startups, as long as the company has a verifiable product and legitimate clients.3 Working for a scam startup carries negative employer perception, as background checks and reference calls quickly reveal the company's fraudulent nature.2 The Federal Trade Commission (FTC) publishes consumer alerts about fake job postings and employment scams, and cross-referencing these alerts with cybersecurity firm reports and regulatory filings helps candidates identify red flags before accepting an offer. Exploring accredited online cybersecurity programs is one concrete step toward building credentials that legitimate employers can actually verify. A single semester spent at a scam operation can create a resume gap that is difficult to explain in future interviews, making due diligence an essential step for every job seeker in this field.
What Cybersecurity Salaries Actually Look Like
One of the best tools you have for spotting a scam is knowing what cybersecurity professionals actually earn. If a startup offers you a salary that seems impossibly high for your experience level, or suspiciously low with promises of future equity payouts, that mismatch should trigger an investigation. The numbers below come from the U.S. Bureau of Labor Statistics Occupational Employment and Wage Statistics (2024) and represent the national picture for information security analysts. Career changers entering the field should expect compensation near the 25th percentile, not the inflated figures that fraudulent postings love to advertise.
| Salary Benchmark | Annual Wage |
|---|---|
| 25th Percentile (typical entry level) | $92,160 |
| National Median | $124,910 |
| Mean (average) | $127,730 |
| 75th Percentile (senior or specialized roles) | $159,600 |
In 2024, job scams cost Americans $501 million, according to the Federal Trade Commission's Consumer Sentinel Network Data Book. As cybersecurity becomes one of the fastest-growing employment sectors, scammers are increasingly targeting job seekers with fake postings for penetration testers, security analysts, and zero-day researchers.
Protect Your Career: Next Steps for Aspiring Cybersecurity Professionals
Protecting your cybersecurity career starts before you ever send a resume: the choices you make about education, networking, and job searching determine which opportunities find you and whether those opportunities are real.
Start With Recognized Credentials
The most reliable way to enter cybersecurity through legitimate channels is to pursue credentials that the industry actually recognizes. Certifications like CompTIA Security+, the Certified Ethical Hacker (CEH), and the Certified Information Systems Security Professional (CISSP) are issued by established, accredited bodies with clear exam standards and renewal requirements. Employers who recruit candidates holding these certifications are, almost by definition, operating in the legitimate professional world. Scam operations rarely bother requiring or even mentioning recognized credentials because their hiring process is not designed to evaluate your skills.
Pairing those certifications with an accredited online cybersecurity degree program adds another layer of protection. Degree programs that carry regional or national accreditation are reviewed by independent bodies, and the employers who recruit from them go through their own vetting process. That pipeline is far less likely to surface a fraudulent company than a cold LinkedIn message or an unsolicited email.
Use Job Platforms That Have Accountability
Where you search for jobs matters almost as much as what you apply to. Platforms like LinkedIn, Glassdoor, and CyberSecJobs attach employer accountability to postings in ways that anonymous job boards do not. On Glassdoor, former employees leave reviews. On LinkedIn, you can see a company's full profile, founding date, employee count, and whether you share any connections with people who work there. That context is invaluable when something feels off.
Skip unsolicited offers entirely. If a recruiter contacts you out of nowhere with a vague role at a company you cannot find in any directory, treat that as a warning, not an opportunity.
Build a Network That Vets Opportunities for You
One of the most underused tools in cybersecurity job searching is the professional network. Local chapters of ISACA and ISC2, regional security conferences, and cybersecurity meetups connect you with practitioners who have seen the industry from the inside. When a company name comes up, someone in that room has often heard of it, worked near it, or knows its reputation. A five-minute conversation can surface information that hours of online searching might miss.
Understanding what cybersecurity is and why it matters helps you ask sharper questions about any employer's actual work. Research the founders. Check business registrations. Look for a physical address that actually exists. In a field built on trust and security, the employers worth working for will hold up to scrutiny every time.
The 10 minutes you spend verifying a company before you apply could save you from identity theft, financial loss, or a serious career setback. If you are weighing a computer science cybersecurity degree alongside standalone certifications, accredited programs offer a built-in filter: the institutions and recruiters connected to them have reputations to protect.
Common Questions About Cybersecurity Job Scams
These are some of the most common questions job seekers ask when evaluating cybersecurity startup opportunities. Each answer references tools, resources, and verification steps covered throughout this guide.









