The Flow Foundation has initiated the second phase of its recovery process after a significant hack resulted in a loss of $3.9 million on December 27, 2025. This incident led to a temporary halt of the Flow blockchain, raising urgent discussions regarding the need for enhanced security measures within the cryptocurrency ecosystem.
In their recent update, the foundation detailed ongoing work aimed at restoring functionality, particularly for the Ethereum Virtual Machine (EVM). The foundation is also addressing issues with its non-EVM chain, Cadence. Efforts are currently focused on rectifying the exploit that affected the EVM environment, with an investigation into recent fixes now on hold.
After completing the necessary adjustments, Flow Foundation plans to rigorously test these fixes before undertaking further maintenance tasks. To ensure security, the foundation intends to temporarily take most worlds offline, gradually restoring them once they confirm safety. Daily progress reports indicate that accounts are being reinstated and fraudulent tokens are being reverted, with on-chain audits made publicly accessible.
The breach first occurred when multiple NFTs and various assets were illicitly transferred off the network, with the attacker exploiting vulnerabilities in the execution layer. Following the incident, validators acted swiftly to freeze the network and prevent additional losses.
Initially, the Flow Foundation considered a complete reversal of the blockchain to a pre-exploit state. However, concerns arose regarding the potential reversal of legitimate transactions, which could obscure the trails of stolen assets and damage investor trust. After careful deliberation, the foundation opted for a more targeted recovery plan, allowing most valid transactions to remain while addressing specific problematic cases.
This meticulous “scalpel” method aims to resolve the situation without compromising Flow“s commitment to decentralization, extending this principle to validators, bridge providers, exchanges, and independent forensic partners.
The ramifications of the exploit have been felt across the Flow ecosystem, leading to service disruptions, including the halting of an NFT lending service that affected a small percentage of borrowers unable to meet their loan obligations. As trading resumed, the FLOW token experienced a sharp decline on major exchanges, heightening concerns about risk management practices and the robustness of the network”s security.
In a notable post-exploit move, a single account deposited approximately 150 million FLOW tokens—representing around 10% of the total released—into a centralized exchange. This action resulted in the conversion of most tokens into other digital assets like Bitcoin, leading to over $5 million being cashed out before operations could be halted. The foundation has attributed this incident to weaknesses in the exchange”s anti-money laundering (AML) and know your customer (KYC) protocols, which inadvertently shifted financial risks to users potentially in possession of counterfeit tokens.
