On December 27, the value of the L1 blockchain token Flow (FLOW) dropped by 40% — from $0.17 to $0.1. This decline followed an attack causing $3.9 million in damages.
At the time of writing, the asset had recovered to $0.12.
The incident was first highlighted by a user named Wazz. According to him, the attacker issued 5 million FLOW and sold them, draining liquidity pools. It is likely that the perpetrator compromised private keys.
Later, the Flow team reported the attack. Initially, developers announced an investigation into a “potential security incident,” but subsequently confirmed Wazz’s suspicions.
This is the verified update from the Flow Foundation.
INCIDENT CONFIRMED
On December 27, 2025, an attacker exploited a vulnerability in Flow’s execution layer and moved approximately $3.9M in assets off-network before validators executed a coordinated halt.
Critically, this… https://t.co/KEXzo0w8as
— Flow.com (@flow_blockchain) December 27, 2025
“The attacker exploited a vulnerability in Flow’s transaction execution layer and moved assets worth approximately $3.9 million off-network before validators coordinated a halt. Importantly, the attack did not affect user funds,” the statement said.
The hacker primarily moved assets through Celer, Debridge, Relay, Stargate bridges, and laundered coins via THORChain and Chainflip mixers. His addresses were identified and marked on the blockchain.
Developers have released an update to fix the vulnerability. However, the network is currently operating in a limited mode. The blockchain will later be restarted, rolling back its state to the moment before the incident.
Flow is a layer-one network designed for issuing NFTs and implementing gaming applications. The project allows the creation of dapps, digital collectibles, and metaverses.
The attack on the protocol and the token’s decline prompted some exchanges, such as South Korea’s Upbit and Bithumb, to temporarily suspend deposits for FLOW.
Earlier in December, the prediction platform Polymarket confirmed that several users were affected by a hack related to a vulnerability in a third-party provider.