The Flow Foundation has moved its recovery efforts into a second phase following a $3.9 million exploit that disrupted the network late last month, while also raising fresh concerns about how a centralized exchange handled large token movements tied to the incident. In an update posted Thursday, Flow said it had made “significant progress” on its remediation plan and had begun phase two of the recovery, which is expected to take several days. UPDATE: EVM RESTORATION ACCELERATED & PHASE 2 PROGRESS Remediation of the Flow network continues in Phase 2 with significant progress. The Flow core developer team has identified a path to restore EVM functionality during ongoing Cadence remediation. This unlocks EVM to proceed… — Flow.com (@flow_blockchain) January 1, 2026 The foundation said developers have identified a way to restore Ethereum Virtual Machine functionality in parallel with ongoing fixes to Flow’s native Cadence environment. Flow Resumes Blocks and Moves Toward Full Recovery Flow noted that the EVM network could return within 24 hours of the announcement, barring unforeseen issues. Block production on the network has already resumed, with the latest block stamped at 09:30:50 UTC on Jan. 2, 2026. Source: Flowscan Cadence-based transactions are processing, while account-by-account verification continues for wallets affected by the exploit. Flow said fraudulent tokens are being removed through on-chain transactions that can be independently verified, and that more than 99.9% of accounts are expected to retain full access once EVM functionality is restored. The exploit occurred on Dec. 27, when an attacker took advantage of a vulnerability in Flow’s execution layer to mint and distribute fraudulent tokens, moving roughly $3.9 million in assets across multiple bridges before validators halted the chain. @flow_blockchain 's planned controversial rollback after a $3.9M exploit draws backlash from “blindsided” ecosystem partners #Flow #Blockchain #Exploit https://t.co/A8w3rJJAUn — Cryptonews.com (@cryptonews) December 29, 2025 Investigators later identified the attacker’s Ethereum wallet and tracked attempted laundering through cross-chain protocols, while freeze requests were sent to major exchanges and stablecoin issuers. Initially, Flow developers proposed rolling the chain back to a checkpoint prior to the exploit. That proposal drew sharp criticism from bridge operators and other ecosystem partners, who warned it could create accounting inconsistencies and push losses onto third parties. After Backlash, Flow Opts for Targeted Token Cleanup Following the backlash, the foundation introduced a revised plan focused on isolating and destroying illicit tokens while preserving legitimate transactions. Under the current approach , the network restarted from the last sealed block before the halt, without reorganizing the chain. Roughly 1,500 Cadence accounts that received fraudulent tokens were temporarily restricted while remediation transactions were carried out. Source: Flow network Recovery plan Flow said most of those accounts have little or no prior activity and are expected to be restored quickly once the illicit balances are removed. Validators approved a temporary software upgrade granting elevated permissions to carry out the cleanup, with those permissions set to be revoked once remediation is complete. As part of its post-mortem disclosures, Flow also flagged what it described as troubling activity on an unnamed centralized exchange. The foundation said that within hours of the exploit, a single account deposited around 150 million FLOW tokens, roughly 10% of the total supply, converted a large portion into bitcoin, and withdrew more than $5 million before the network was halted. Flow said the exchange failed to respond to requests for information about the trading patterns, calling the episode an apparent AML and KYC lapse that shifted risk onto users who unknowingly bought fraudulent tokens. While Flow did not identify the exchange, some users have speculated it could involve Binance. Market data shows the fallout is still weighing on Flow’s DeFi ecosystem, as the total value locked on the network fell 12% over the past 24 hours to about $72.1 million, down from roughly $102 million on Dec. 31. The FLOW token is currently trading at $0.081, dropping by 53.3% in the last 7 days following the exploit and the initial rollback proposal, as uncertainty spread and some exchanges paused deposits and withdrawals. The post Flow Pushes $3.9M Recovery Into Phase Two — Exchange Risks Still Present appeared first on Cryptonews .
