Unauthorized API-key compromise — funds laundered via Polygon→Ethereum bridge, BRL stablecoin OTC desk and Bybit cash-out On June 19, 2026, an attacker used a compromised payment-API credential to create unauthorized transactions draining a client of a payment-infrastructure provider. Approximately R$ 853,065.49 (~US$ 153k) was converted to USDT and sent to the destination wallet 0x16b7423622b1a933b459102560865d246fb11139 (same address on Polygon and Ethereum). The funds were bridged from Polygon to Ethereum via Across Protocol, swapped to ETH through 1inch and CoW Protocol, and the bulk (~118.47 ETH plus residual stablecoins, ~US$ 300k+) remains idle in that same wallet on Ethereum. A residual stablecoin fraction (~7,767 USDC) was funneled on June 20, 2026 through a family of vanity withdrawal addresses (suffix "C309") into Bybit hot wallets. Part of the funding infrastructure enters the crypto ecosystem through a high-volume OTC desk dealing in the Brazilian stablecoins BRLA and BRZ, converting them to USDC via LI.FI and ParaSwap through an ERC-4337 smart account. The initial funding wallet is already publicly tagged "Fake_Phishing1064860" on Etherscan, and the actors use address poisoning (dust + fake USDC tokens) to pollute tracing. All listed addresses are part of the same laundering operation.