bip bip-360 bitcoin cryptography p2pk quantum-computing security

7 million Bitcoin are sitting ducks for quantum computers (including all of Satoshi's)

bitcoinindex.net · · 6 min read
7 million Bitcoin are sitting ducks for quantum computers (including all of Satoshi's)

Bitcoin’s most valuable wallets are sitting ducks. Nearly 7 million BTC, worth roughly $440 billion, are vulnerable to quantum computers. That includes every satoshi Satoshi Nakamoto ever mined. The question isn’t if quantum attackers will come. It’s whether Bitcoin will freeze the coins or let them be stolen.

Andreas Antonopoulos once said we’ll know quantum computing is real when Satoshi’s coins move. That’s not a joke. It’s an early warning system. And the Bitcoin community is now debating what to do when the alarm goes off.

How quantum computers break Bitcoin

Classical computers can’t derive a Bitcoin private key from a public key. It would take trillions of years. Quantum computers running Shor’s algorithm could do it in minutes.

Bitcoin uses ECDSA (Elliptic Curve Digital Signature Algorithm) on the secp256k1 curve. Your private key generates your public key through a one-way function. Classically irreversible. Quantum computers reverse it: public key back to private key. Once an attacker has your private key, they can forge valid signatures and drain your wallet. The theft looks identical to a legitimate spend.

Taproot and Schnorr signatures don’t help. They use the same curve. Same vulnerability.

The threat is real. The timeline is the argument.

6.89 million BTC at risk: the breakdown

CryptoQuant CEO Ki Young Ju quantified the exposure in February 2026: 6.89 million BTC are vulnerable. That’s 32% of Bitcoin’s total supply.

1.91 million BTC in P2PK addresses: These are the highest risk. P2PK (Pay-to-Public-Key) was Bitcoin’s early transaction type, used from 2009 to 2012. The public key is embedded directly on-chain when the UTXO is created. Permanent exposure. Quantum attackers can see these keys years before attacking. “Harvest now, attack later.”

Satoshi’s estimated 1 million BTC sits in P2PK addresses. All of it vulnerable. Those coins have never moved.

4.98 million BTC with exposed keys from prior transactions: Modern addresses (P2PKH, SegWit, Taproot) only reveal a hash of your public key when you receive funds. Your actual public key is revealed when you spend. Once revealed, it’s permanently on-chain. Many users reuse addresses. Exchanges, old wallets, careless holders. Those coins are exposed.

Fresh addresses that have never spent are safer. The public key is only revealed when you broadcast a transaction. A quantum attacker would need to see your transaction in the mempool, derive your private key in minutes, then broadcast a conflicting transaction with a higher fee and get it mined first. Possible, but harder to execute at scale.

Total vulnerable: $440 billion. At current prices, that’s larger than the GDP of Austria.

When will quantum computers arrive?

Google’s Willow chip hit 105 qubits in December 2024. It achieved “below-threshold error correction,” meaning error rates decrease as qubits increase. That’s a big deal. But it’s nowhere near the scale needed to crack Bitcoin.

Breaking Bitcoin’s ECDSA requires millions of logical qubits. Some estimates suggest 317 million physical qubits to crack a 256-bit key within an hour, accounting for error correction. That’s 100,000 times more powerful than current machines.

The consensus timeline is mid-2030s to mid-2040s. Bitfinex’s analysis calls the threat “likely decades away.” CoinShares agrees: quantum threats are “not imminent.”

But the pessimistic camp disagrees. Recent research suggests RSA-2048 could be broken in 2-3 years. If RSA falls, ECDSA likely follows. Zeynep Koruturk of Firgun Ventures told CoinDesk, “The quantum community was stunned” by the research. That timeline would change everything.

Quantum progress is non-linear. Google Willow’s error correction was a sudden breakthrough. The next one could come tomorrow. Or in 20 years. Nobody knows.

The freeze-or-steal debate

Should Bitcoin implement a soft fork to freeze vulnerable UTXOs before quantum computers arrive? Or should it preserve immutability and let quantum attackers claim the coins?

This is Bitcoin’s existential question.

Freeze them: the case for burning vulnerable coins

Jameson Lopp, co-founder of Casa, argues for burning vulnerable coins. Not confiscation. Burning. Place them out of reach of everyone.

Why? Allowing quantum recovery is wealth redistribution to tech supremacy winners. Google, IBM, the NSA, nation states. “Quantum miners don’t trade anything,” Lopp writes. “They are vampires feeding upon the system.”

If quantum attackers dump billions of BTC, the price crashes. That harms everyone. Better to burn the coins than reward technological supremacy over productive participation.

Lopp proposes a soft fork after a specific block height. Nodes would reject transactions spending from quantum-vulnerable locking scripts. Give users a 4+ year migration window. Only affects P2PK and exposed-key addresses. If quantum attackers appear early, accelerate the timeline.

Benefits: stable prices, no supply inflation, incentivizes proactive security upgrades, cleans up the UTXO set. Miners and businesses benefit. Fee revenue from mass migration sustains the network.

Let them steal: the case for immutability

Paolo Ardoino, CEO of Tether, disagrees. “Any bitcoin in lost wallets, including Satoshi (if not alive), will be hacked and put back in circulation. Any inflationary effect from lost coins returning to circulation would be temporary.”

Roya Mahboob of Digital Citizen Fund goes further: “Freezing old Satoshi-era addresses would violate immutability and property rights. Even coins from 2009 are protected by the same rules as coins mined today. If quantum systems eventually crack exposed keys, whoever solves them first should claim the coins.”

Why allow quantum recovery? Immutability. Bitcoin’s core promise is “code is law.” Changing the rules undermines trust. Private keys equal ownership. If cryptography breaks, that’s the risk users took. Personal responsibility.

Bitcoin has weathered theft before. Mt.Gox, Bitfinex, FTX. It survived. It will survive quantum theft.

Freezing coins sets a dangerous precedent. What stops future interventions for exchange hacks? Government pressure? Where does it end?

Counterargument: “Code is law” can be amended via soft fork. Taproot and SegWit were code changes. Not freezing equals apathy toward theft, not neutrality.

What Bitcoin is doing about it

BIP 360 (Pay-to-Merkle-Root) was recently merged into the Bitcoin Improvement Proposals repository. It’s a new output type designed to reduce long-exposure risk. Taproot-like script trees, but no key-path spending. Public keys are never embedded on-chain for long periods.

It’s a foundation for post-quantum migration, but not the final solution. Larger witnesses, less compact than Taproot. Doesn’t solve mempool-race attacks. Doesn’t address post-quantum signature schemes.

NIST finalized post-quantum standards in August 2024: ML-DSA (Dilithium), SLH-DSA (SPHINCS+), ML-KEM (Kyber). All lattice-based or hash-based. All quantum-resistant.

The problem? Post-quantum signatures are 10 to 100 times larger than ECDSA. Dilithium: 2,400 bytes. SPHINCS+: 7,800 to 17,000 bytes. ECDSA: 70 bytes. Blocks would be larger, propagation slower, verification more CPU-intensive.

A hybrid approach is likely. Require both classical (ECDSA) and post-quantum signatures during the transition. Double security. Once the quantum threat is imminent, drop ECDSA.

But deployment takes time. Bitfinex estimates 1+ years for wallet software updates, 6+ months for hardware wallets, 6+ months minimum for user migration. Realistically, 4+ years for full ecosystem adoption. Total: 7+ years.

Bitcoin block space is limited. Migrating the entire UTXO set would take months even with 100% block space dedication. The fee market will spike. Demand far exceeds supply.

Taproot took 4 years from proposal to activation (2017 to 2021). A post-quantum fork will likely take similar time. Maybe longer. It’s a contentious issue.

Bitcoin has time. But not forever.

The quantum threat is real. The timeline is uncertain. The debate is existential.

Freeze the coins, and you violate immutability. Let them be stolen, and you hand $440 billion to whoever builds the first quantum computer. Neither option is clean.

I keep coming back to Andreas Antonopoulos’s warning. When Satoshi’s coins move, we’ll know. And by then, it might be too late to decide.

Bitcoin has time to prepare. But the clock is ticking. And the community needs to make a choice before quantum computers make it for them.

Sources: CoinDesk: To freeze or not to freeze: Satoshi and the $440 billion in bitcoin threatened by quantum computing, Jameson Lopp: Against Allowing Quantum Recovery of Bitcoin, Bitfinex: Can Bitcoin Handle the Threat from Quantum Computing?, CoinGecko: Will Quantum Computing Kill Bitcoin?, Cointelegraph: CryptoQuant CEO warns 6.89M BTC at risk from quantum attack, Blockchain Council: Can Google’s Willow Crack Bitcoin?, BIP 360: Pay-to-Merkle-Root specification, NIST: Post-Quantum Encryption Standards, CoinShares: Quantum Vulnerability in Bitcoin: A Manageable Risk. Last updated February 24, 2026.