Quick Summary
Executive Summary
On June 28, 2026, The Academy for Classical Education was listed as a victim on the dark web portal of the 3AM ransomware group. This listing was identified by SOCRadar’s Dark Web Monitoring service. The organization is associated with Mexico in SOCRadar’s dataset, and its specific industry is not detailed in the source data, thus only the provided information is used for attribution. This incident places the educational institution among 3AM’s recent and geographically diverse victim base. In the 60 days preceding this listing, 3AM claimed 21 other victims, often targeting the business services, agriculture and food production, and healthcare sectors. Geographically, their victims are predominantly located in the United States, Argentina, and Mexico. Notable organizations with similar regional profiles recently targeted by 3AM include Agro Industrial Exportadora SA de CV, Mogren, Glessner & Ahrens Law Firm, Công ty Cổ phần Công Nghệ Hợp Long, and the Australian Medical Council. The Academy for Classical Education’s inclusion aligns with 3AM’s pattern of activity in the Americas, despite the group’s global reach.
Technical Analysis
SOCRadar’s threat intelligence identified a severe exposure for the acemacon.org domain through stealer-log telemetry. This exposure included approximately a dozen corporate-domain credentials targeting the organization’s identity and SSO endpoints, along with a similar number of corporate usernames on third-party services. Key authentication endpoints compromised included Google Workspace / IdP (accounts.google.com) and an identity-verification service. The compromise indicators suggest a mixed risk profile, combining direct organizational access risks with workstation-level compromise. The data spanned from 2024 to June 2026, with recurring usernames across different categories indicating repeated harvesting from infected individual employee endpoints. Credentials harvested by infostealers are a known initial access vector for ransomware groups like 3AM. Attackers or initial access brokers acquire these logs from underground marketplaces to gain access to services such as Microsoft 365, Google Workspace, VPNs, and remote-access portals. While this specific evidence doesn’t confirm 3AM’s direct use of these credentials, the pattern of compromised corporate identity credentials on organizational IdPs, originating from harvested logs on infected endpoints, is consistent with the typical kill chain for such attacks. Security teams are advised to prioritize credential resets, implement phishing-resistant MFA on identity providers, and conduct endpoint threat hunting, maintaining ongoing monitoring rather than assuming the exposure is solely historical.