Quantum Computing Could Drain 6.9 Million Bitcoin Including Satoshi's Stash as the Clock Ticks

Roughly one-third of all Bitcoin ever mined sits in addresses that a sufficiently powerful quantum computer could crack open. That's 6.9 million BTC, worth hundreds of billions of dollars at current prices, including the estimated 1.1 million coins attributed to Satoshi Nakamoto.

The timeline for this threat has compressed dramatically. Google's Quantum AI whitepaper, published March 30, 2026, estimates that breaking Bitcoin's ECDSA-256 signature scheme would require under 500,000 physical qubits, potentially executing the attack in just nine minutes. That's roughly 20 times fewer resources than researchers estimated even two years ago.

The question isn't whether Bitcoin needs to upgrade its cryptography. It's whether the network can coordinate fast enough to do it.

Why 6.9 Million BTC Are Exposed

Not all Bitcoin addresses face the same risk. The vulnerability centers on coins held in addresses where the public key is visible on the blockchain.

Modern Bitcoin addresses use a hash of the public key, meaning the actual key only becomes exposed when you spend from that address. But early Bitcoin used a format called Pay-to-Public-Key (P2PK), which broadcasts the public key from the moment coins arrive.

Satoshi's coins fall into this category. So do millions of other early holdings, coins that have sat untouched since Bitcoin's first years. These addresses can't be protected by their owners simply choosing not to spend; the cryptographic target is already public.

A quantum computer running Shor's algorithm against an exposed public key could derive the private key and drain the funds. As of April 2026, approximately 6.9 million BTC remain in these vulnerable address types.

The Timeline Has Shortened

For years, "Q-Day" (the moment quantum computers can break elliptic curve cryptography) felt comfortably distant. Estimates suggested millions of qubits would be needed, putting the threat decades away.

That cushion has evaporated.

On April 24, 2026, researcher Giancarlo Lelli broke a 15-bit ECDSA key using publicly available quantum hardware. While 15 bits is trivial compared to Bitcoin's 256-bit keys, the result represented a 512-fold improvement over September 2025 benchmarks. The pace of progress, not just the current capability, is what matters.

Google and Caltech researchers now project Q-Day could arrive as early as 2029. Investment firm Bernstein's April 2026 analysis describes a "3-5 year credible threat window."

That's not distant future speculation. That's potentially within a single Bitcoin halving cycle.

BIP-361 and the Governance Challenge

Bitcoin developers aren't ignoring the problem. BIP-361, co-authored by Jameson Lopp and published in April 2026, proposes a phased approach to protecting the network.

Phase A would ban transactions sending to vulnerable address types, taking effect roughly three years after activation. Phase B, arriving about two years later, would freeze any coins that haven't migrated to quantum-resistant addresses.

The proposal is technically sound. The governance challenge is immense.

Freezing unmigrated coins would be unprecedented. It would mean rendering potentially millions of Bitcoin permanently unspendable, including Satoshi's stash. Some argue this is necessary network hygiene. Others see it as violating Bitcoin's core promise of permissionless, censorship-resistant money.

Any change of this magnitude requires either a hard fork or a contentious soft fork, either of which risks splitting the network. Bitcoin's upgrade history suggests these debates can drag on for years. The community may not have years to spare.

Mining Remains Resilient, For Now

One reassuring detail: Bitcoin's proof-of-work mining faces a different, less severe threat.

SHA-256 hashing (used in mining) is vulnerable to Grover's algorithm, which offers only a quadratic speedup rather than the exponential advantage Shor's provides against signatures. Doubling the hash output length would restore full security, and the computational economics of quantum mining remain unfavorable for the foreseeable future.

The network's consensus mechanism isn't the immediate concern. The signature scheme protecting individual wallets is.

What Wallet Users Should Consider Now

If you hold Bitcoin in modern addresses (those starting with "1", "3", or "bc1") and have never spent from them, your public key isn't exposed on-chain. Your near-term risk is lower, though not zero, since spending will reveal the key.

For anyone managing significant holdings, especially in multisig configurations, now is the time to audit address types and plan migration strategies. Tools like Caravan can help users building DIY multisig setups understand their wallet structure and coordinate potential migrations without trusting third-party servers.

The post-quantum standards exist. NIST finalized FIPS 203-205 in 2024, and testnets like BTQ's Bitcoin Quantum (launched January 2026) are already experimenting with ML-DSA signatures. The cryptographic solutions aren't the bottleneck. Community consensus is.

The Contrarian View

Not everyone is sounding alarms. Some analysts point out that Bitcoin's price declined through 2025 and into 2026, suggesting markets may have already priced in quantum risk. Others argue the compressed timelines remain speculative, and that the cryptocurrency community has repeatedly upgraded systems under pressure when necessary.

There's also an argument that freezing vulnerable coins, however uncomfortable, would actually strengthen Bitcoin's long-term credibility by demonstrating the network can adapt to existential threats.

These perspectives deserve consideration. But they don't change the underlying math: cryptography that was considered unbreakable is approaching breakability faster than anticipated.

Looking Forward

Bitcoin has survived contentious forks, exchange collapses, and regulatory crackdowns. The quantum threat is different because it's a technical deadline with an uncertain but narrowing timeline.

The network's response over the next two to three years will determine whether Bitcoin successfully migrates to post-quantum cryptography, or whether billions in value becomes a bounty for whoever builds a sufficiently powerful quantum computer first.

For individual holders, the practical steps are clear: understand your address types, monitor BIP-361's progress, and prepare for what could be Bitcoin's most significant cryptographic upgrade since its creation.

The clock is ticking. Whether it's ticking toward 2029 or 2035 matters less than recognizing it's ticking at all.