6.9 Million Bitcoin Are Vulnerable to Quantum Computers. Here Is What That Actually Means.

Project Eleven estimates roughly 6.9 million Bitcoin sit in addresses with exposed public keys, about one third of the total supply that will ever exist. That includes Satoshi Nakamoto’s approximately 1 million coins, untouched since the network’s earliest years. A sufficiently powerful quantum computer could use those exposed public keys to derive the corresponding private keys and drain the wallets before the owner could react. No quantum computer capable of doing that exists today. The question the Bitcoin community is now actively debating is whether one will exist before Bitcoin has a migration plan ready.

Key Highlights

• Project Eleven estimates 6.9 million BTC sit in addresses with exposed public keys, making them theoretically vulnerable to a quantum computer that can break elliptic curve cryptography
• Satoshi Nakamoto’s approximately 1 million coins are among the exposed holdings. Those coins have not moved since Bitcoin’s earliest days and sit in early format Pay to Public Key addresses
• A researcher won a 1 BTC bounty in April 2026 for completing the largest quantum attack on the elliptic curve cryptography underlying Bitcoin’s signature scheme, though at a scale far below what would threaten real wallets
• BIP-360 proposes new quantum safe address types that holders could voluntarily migrate to. The proposal does not yet have broad support from Bitcoin’s core developers.
• Ripple published a four phase plan to make the XRP Ledger quantum resistant by 2028. Bitcoin has no equivalent published migration timeline.
• Current quantum hardware is not yet capable of breaking Bitcoin at scale. The pressure is about preparing the migration path before the hardware catches up, not responding to an active threat.

How the vulnerability actually works

Bitcoin uses elliptic curve cryptography to link public keys to private keys. When you receive Bitcoin, your public key or an address derived from it gets recorded on chain. When you spend Bitcoin, you reveal your public key in the transaction signature. Once the public key is visible on chain, it stays there permanently.

Classical computers cannot derive a private key from a public key in any practical timeframe. The mathematics of elliptic curve cryptography make that computation effectively impossible with today’s hardware. Quantum computers running Shor’s algorithm can solve the same problem exponentially faster. The specific threat is a sufficiently large and stable quantum computer running Shor’s algorithm against an exposed Bitcoin public key long enough to extract the private key.

The 6.9 million BTC estimate covers addresses where the public key has already been exposed. Pay to Public Key addresses, used heavily in Bitcoin’s early years including all of Satoshi’s known coins, expose the public key directly. Pay to Public Key Hash addresses, which are more common today, expose the public key only when the owner sends a transaction. Coins that have never moved from a Pay to Public Key Hash address have not exposed their public key yet. They are safer, though a quantum computer could still theoretically attack them during the brief window between a transaction being broadcast and being confirmed.

Why Satoshi’s coins are the most discussed target

Satoshi’s approximately 1 million Bitcoin sit in Pay to Public Key addresses from 2009 and 2010. The public keys are permanently on chain. The coins have not moved in 15-plus years, which means there is no ongoing transaction activity that would give advance warning of an attack. A quantum attacker targeting those coins would have as much time as needed to derive the private keys, limited only by quantum hardware stability rather than any time pressure from the owner’s activity.

The scenario creates a specific social problem beyond the technical one. If a quantum computer ever drained Satoshi’s coins and moved approximately $80 billion in Bitcoin to a new address, the Bitcoin network would face an immediate crisis: was this Satoshi finally moving coins voluntarily, or was it the first successful quantum attack on the network? The inability to distinguish those two scenarios on chain is a design limitation that no technical proposal has fully resolved. With $102 billion in Bitcoin ETF AUM on the line, the market implications of that ambiguity are now genuinely systemic.

What BIP-360 proposes and why it does not yet have consensus

BIP-360 proposes new quantum safe address types based on post quantum cryptographic algorithms that quantum computers cannot break using known techniques. Holders would voluntarily migrate coins from vulnerable addresses to new quantum safe addresses before the quantum threat matures. The migration would be opt in rather than mandatory, which avoids the politically explosive question of what happens to coins that do not migrate.

The opt in design is also the main weakness. Satoshi’s coins cannot opt in because no one has the private keys to authorize a migration. Any solution that relies on voluntary migration leaves the most prominent vulnerable coins permanently exposed. A mandatory migration that burns or freezes unmigrated coins after a deadline would effectively destroy Satoshi’s holdings and any other long dormant coins, which creates its own set of problems around property rights, community consensus, and the credibility of Bitcoin’s fixed supply promise.

Core developers have not reached agreement on BIP-360 because those tradeoffs are genuinely difficult, not because they are ignoring the threat. The consensus mechanism that makes Bitcoin resistant to control also makes it slow to coordinate major protocol changes. Bitcoin’s price resilience through geopolitical shocks reflects confidence in the network’s stability. That same stability makes rapid protocol changes in response to a threat that has not materialized yet politically difficult to push through.

Where the quantum hardware actually stands

The April 2026 bounty win for the largest quantum attack on elliptic curve cryptography was a research achievement, not a practical threat. The attack operated at a scale measured in qubits of computation that is orders of magnitude below what would be needed to break a real Bitcoin wallet. Current estimates from cryptographers put the required quantum computer at roughly 4,000 logical qubits running with very low error rates. The largest publicly announced quantum computers as of early 2026 operate at physical qubit counts in the thousands but with error rates that make them unsuitable for the sustained, precise computation that Shor’s algorithm requires on real cryptographic targets.

The timeline projections vary widely. Conservative estimates suggest 10 to 15 years before quantum computers reach the capability needed to threaten Bitcoin. More aggressive projections from some quantum computing researchers suggest 5 to 7 years is plausible under an optimistic hardware development scenario. The practical planning question is not which projection is correct. It is how long Bitcoin’s migration process takes once consensus is reached, and whether that duration fits inside the more conservative timeline estimate. The AI infrastructure expansion happening in parallel is accelerating the compute capabilities that quantum researchers have access to for simulation and development, which arguably compresses the conservative timeline estimates.

How Ripple’s four phase plan compares

Ripple published a four phase plan in April 2026 to make the XRP Ledger quantum resistant by 2028. Phase one covers algorithm selection and standards alignment. Phase two covers implementation of post quantum signing in the protocol. Phase three covers validator and client software updates. Phase four covers the migration period where existing accounts transition to quantum safe keys. A two year timeline with a published phase structure is the governance minimum for a major cryptographic migration in a live network.

Bitcoin has no equivalent published plan. The decentralized governance structure that makes Bitcoin resistant to capture also makes publishing a centrally coordinated migration timeline impossible. Nobody speaks for Bitcoin the way Ripple speaks for XRP. The comparison is not entirely fair because XRP’s governance structure is categorically different. But the practical outcome is that XRP will likely have a quantum migration timeline published and in execution while Bitcoin is still debating the parameters of BIP-360.

The TCB View

The quantum threat to Bitcoin is real, it is not imminent, and Bitcoin’s response to it is dangerously slow relative to what the stakes require. 6.9 million BTC at roughly $80,000 each is $552 billion in value sitting in addresses that a mature quantum computer could theoretically drain. The technical community knows this. BIP-360 exists. The research is being done. What does not exist is the governance process that turns a technical proposal into a network wide migration before the hardware catches up. Bitcoin has survived every previous challenge to its security model by being conservative, slow, and resistant to change. That same conservatism is the thing that could leave the most significant pile of exposed public keys in cryptographic history sitting vulnerable while the hardware timeline compresses. The time to start the migration conversation in earnest is not when quantum computers are capable. It is now, while there is still room for the conservative deliberation Bitcoin requires.