The Flow Foundation has announced Phase Two of its recovery efforts following a $3.9 million hack that halted the Flow blockchain in late 2025. According to the foundation, work is ongoing, and the next phase of the restoration is expected to take several days to complete.
The breach has rattled parts of the crypto ecosystem, sparking conversations about safeguarding users, exchanges, and governance when a blockchain faces a security compromise.
Flow notes that developers had “identified a path to restore EVM [Ethereum Virtual Machine] functionality” as it addressed its non-EVM chain, Cadence. Meanwhile, the fix is in progress to clean up the exploit on the EVM environment, and the enquiry has been frozen for recent fixes.
The foundation stated that it would then test the fixes and retest any remaining maintenance tasks, adding that it planned to take most worlds offline before restoring the vast majority of them to full availability as soon as it deemed it safe to do so. The current progress report already shows that accounts are being returned and fake tokens are being reverted daily, with on-chain audits accessible to everyone.
Developers restore EVM as Cadence recovery moves forward
The incident occurred on December 27, 2025, when a variety of NFTs and other assets were transferred off the network – approximately $3.9 million in total – via cross-chain bridges after an attacker exploited vulnerabilities in the execution layer. According to the Flow Foundation, the network was halted after validators intervened to stop further losses.
Initially, Flow considered reverting the blockchain to a point in time before the exploit occurred. Critics warned that a reversal of the blocks could also reverse legitimate transactions, hide the bridges and exchanges used to move stolen money, and undermine investor confidence.
Then, after consulting with seniors, the foundation switched course to a targeted recovery approach. This scheme still maintains most valid transactions on-chain and only processes transactions that fail to act correctly. Under this plan, affected accounts have their assets temporarily frozen as forensic analysis is carried out to identify and fully remediate the illicitly minted tokens.
The foundation stated that the “scalpel” approach can enable them to resolve the issue and protect their principles of decentralization – not only for validators, but also for bridge providers, exchanges, and independent forensic partners.
Security breach disrupts the Flow ecosystem and triggers market volatility
The impact of the exploit has been felt throughout Flow’s ecosystem. The network freeze also temporarily shut down certain services, like the NFT lending service, where “a small percentage” of borrowers were unable to repay their maturing loans due to the transactions that came to a standstill.
Investors have already felt the impact of the incident. The Flow token (FLOW) has dropped sharply across major exchanges as trading resumed. The decline has fueled broader concerns about risk management practices and raised new questions about the strength and credibility of Flow’s network security model.
Flow Foundation said that after the Dec. 27 hack, a lone account had deposited around 150 million of its FLOW tokens — approximately 10% of what has been released so far and about $54 million at time of writing — to a centralized exchange, swapped most of them into other assets like Bitcoin, then cashed out more than $5 million before operations could be ground to a halt. The group attributed this to flaws in the exchange’s AML/KYC controls, which shifted financial risk onto users who may have unknowingly acquired bogus tokens.
Sharpen your strategy with mentorship + daily ideas - 30 days free access to our trading program
