Fake Cybersecurity Startups Are on the Rise — How Irish Businesses Can Spot Them

A cybersecurity startup offering millions of dollars for zero-day software vulnerabilities was recently exposed as being run by convicted felons and far-right conspiracy theorists operating under assumed names. The company, IRIS C2, had built a professional-looking website, a LinkedIn presence, and thousands of social media followers before investigative journalists uncovered its true backers.

This story, reported by security expert Brian Krebs on Krebs on Security, is a warning for Irish businesses. As AI makes it cheaper and easier to create convincing fake companies, the number of fraudulent cybersecurity vendors is likely to grow.

The Anatomy of the Scam

IRIS C2 presented itself as a legitimate offensive cybersecurity firm based in Virginia. It offered payouts of up to $7 million for security exploits. It had a professional website, job postings, and a social media presence. It even appeared on a government contracting portal.

But the company was linked to Jack Burkman, a lobbyist with a history of controversial activities, and operated by individuals with criminal records. The “startup” was a front — designed to attract vulnerability researchers and collect intelligence on software exploits under the guise of legitimate business.

This is not an isolated incident. Similar scams are appearing regularly in the cybersecurity industry, where trust is everything and verification is difficult.

Why AI Makes This Worse

AI tools make it trivially easy to create convincing fake companies. A fraudster can use AI to generate professional website copy, write credible job descriptions, produce marketing materials, and even create synthetic video testimonials. A few years ago, spotting a fake company involved looking for poor grammar, unprofessional design, or inconsistent information. Those signals no longer work.

AI-generated content is indistinguishable from human-written content for most readers. A fake cybersecurity startup can now look more professional than a legitimate one.

How Irish Businesses Can Protect Themselves

If your business uses cybersecurity vendors — and every business should — here are practical steps to verify they are legitimate.

First, check the company’s registration. In Ireland, the Companies Registration Office (CRO) allows you to verify if a company is registered and who its directors are. For international vendors, check the equivalent registry in their country. If a company cannot provide verifiable registration details, that is a red flag.

Second, speak to existing customers. Legitimate cybersecurity vendors will have case studies and references. Ask for contact details of clients with similar businesses to yours. If they cannot provide any, be suspicious.

Third, look for independent reviews. Security products are reviewed by independent labs like AV-Test, SE Labs, and NSS Labs. If a vendor claims to offer a security product and has no independent testing results, ask why.

Fourth, check the backgrounds of the leadership team. The Krebs story exposed a company run by convicted felons operating under assumed names. A quick LinkedIn search and a look at company news can reveal inconsistencies. If the CEO has no visible professional history before joining the startup, that is worth investigation.

The Bottom Line

The IRIS C2 story is a reminder that not every AI-powered or security vendor is what it claims to be. As AI makes it easier to create convincing fakes, due diligence becomes more important, not less. For Irish businesses, the cost of vetting a vendor properly is a fraction of the cost of being compromised by a fake one.

Take the time to verify. Your business depends on it. And remember: if a cybersecurity company looks too good to be true — seven million dollar payouts, a flashy website, and no verifiable track record — it probably is. A few hours of research could save your business from a costly mistake.