440 Billion Dollars in Bitcoin Could Be Broken by Quantum Computers

Nearly 7 million bitcoin — including Satoshi Nakamoto's presumed million coins — are potentially vulnerable to future quantum computer attacks. The debate about what should be done is now raging.

TL;DR

Around 7 million bitcoin, worth an estimated 440 billion dollars, could become vulnerable when quantum computers become powerful enough to break today's encryption.
Bitcoin's elliptic curve cryptography (ECDSA) could theoretically be broken by Shor's algorithm on a sufficiently powerful quantum machine.
The community is discussing migration strategies, including BIP 360 and post-quantum cryptography — but consensus is difficult to achieve.
Experts disagree on the timeline: estimates range from 8 to 40 years.

Billions in Bitcoin Could Be Defenseless

Bitcoin is built on cryptographic guarantees that have held for over 16 years. But a technological revolution could put these guarantees to the test: quantum computers. According to CoinDesk, approximately 7 million bitcoin — equivalent to about 440 billion dollars — are potentially exposed if a sufficiently powerful quantum machine were to become available to malicious actors.

Among the vulnerable coins are an estimated one million bitcoin linked to Bitcoin's pseudonymous creator, Satoshi Nakamoto — coins that have never moved.

440 Billion Dollars in Bitcoin Could Be Broken by Quantum Computers

Why Are These Bitcoins at Risk?

Bitcoin uses a cryptographic method called ECDSA (Elliptic Curve Digital Signature Algorithm) to verify transactions. The problem arises for addresses where the public key is already exposed on the blockchain — which particularly applies to older address types like Pay-to-Public-Key (P2PK).

A quantum computer with sufficient capacity would, using Shor's algorithm, theoretically be able to derive the private key from the public key — thereby giving the attacker full control over the funds.

Research indicates that approximately 25 percent of all bitcoin may be vulnerable due to exposed public keys. A more conservative estimate points to about 1.7 million BTC, or about 8 percent of the total outstanding supply, in older vulnerable address formats.

~7 million BTC

Potentially vulnerable coins

~25 %

Proportion with exposed public key

When Could This Actually Happen?

Here, experts are far from in agreement. Cryptographer Adam Back, cited in a report by CoinShares, believes Bitcoin faces no real quantum threat for at least two to four decades, and that the network will have time to adapt well in advance. Ethereum co-founder Vitalik Buterin, on the other hand, has estimated a 20 percent probability that quantum computers could threaten Bitcoin's cryptography as early as 2030, with escalating risk towards 2040. Quantum researcher Paulo Viana is even more concerned, estimating a real threat within eight years.

As of today, quantum computers are in what is called the NISQ phase — they have tens to a few hundred qubits and are highly error-prone. Breaking Bitcoin encryption requires millions of stable, error-corrected logical qubits, which is far beyond current capabilities. However, the first Bitcoin quantum test networks experimenting with NIST-standardized post-quantum algorithms were launched as recently as January 2026, according to research data.

Quantum computers exist — but breaking Bitcoin requires a machine millions of times more powerful than today's best.

What Can the Bitcoin Network Do?

Several migration strategies are under discussion in the Bitcoin community:

BIP 360 is a proposal to introduce a new transaction type — Pay-to-Merkle-Root — designed to reduce reliance on exposed public keys and lay the groundwork for future integration of post-quantum cryptography via subsequent soft forks.

Post-quantum cryptography (PQC) is the core of long-term protection. The American standardization body NIST finalized several PQC standards in 2024, including ML-DSA (Dilithium) and SLH-DSA (SPHINCS+), which are considered strong candidates for future Bitcoin upgrades.

Hybrid migration is a phased approach where new, more secure address types are introduced with a transition period where transactions may require proof from both classical and post-quantum cryptography.

A more difficult variant is the proposal to freeze unmigrated coins — a kind of “dead man's switch” — which, however, directly conflicts with Bitcoin's fundamental principle that only the key holder has control over their funds.

Consensus Is the Major Obstacle

Although technical solutions exist on paper, the politics within the Bitcoin network are the real bottleneck. James Check, founder of Checkonchain, is quoted as saying that network participants may never agree to block or freeze vulnerable coins — which, in the worst case, could allow attackers to exploit them if the quantum threat materializes.

Technical challenges also contribute: Post-quantum signatures are significantly larger and heavier to verify than today's ECC signatures, which would increase bandwidth and validation costs for the network.

The US security authority NSA's CNSA 2.0 framework requires quantum-safe systems by 2030, and NIST plans to phase out ECC in federal systems by the mid-2030s. The Bitcoin community thus has a window — but it is unclear how long it will remain open.