- Quantum computers threaten the signatures that protect Bitcoin keys, not its mining, and only coins with an exposed public key are at risk.
- As of early 2026, more than a third of all Bitcoin, around 6.5 million coins including Satoshi's, sit in addresses with exposed keys, but the machine that could crack them does not exist yet.
- Bitcoin is already preparing, with a new quantum-resistant address type and a contentious migration plan that may force a choice between freezing vulnerable coins and leaving them stealable.
The Setup
Every few months a headline warns that quantum computers will destroy Bitcoin. Then nothing happens, and people tune it out. The truth sits in between: the threat is real, specific, and decades from being practical, and the Bitcoin world is already moving on it. In 2026 that shifted from theory into actual code and a real, divisive plan. It is worth understanding what is actually at risk, and what is not.What Quantum Computing Threatens
Bitcoin leans on two kinds of math. One is hashing, SHA-256, which secures mining and turns a public key into an address. The other is a digital signature, ECDSA on a curve called secp256k1, which proves you own the coins when you spend. Quantum computers attack these two very differently. Against hashing, the best quantum trick, Grover's algorithm, offers only a modest speedup, so mining and address hashes stay broadly safe. Against the signature, a different method, Shor's algorithm, is devastating: given a public key, it can in principle compute the matching private key. That signature is the soft spot.Why Only Some Coins Are at Risk
Here is the nuance most headlines miss. In normal Bitcoin use, your public key is hidden behind a hash until the moment you spend, so an attacker has nothing to crack as your coins just sit there. The danger is exposed public keys. Old address formats from Bitcoin's early days published the public key directly. And any address that has already sent a transaction has revealed its key on the blockchain forever. As of early 2026, on-chain data in a Bitcoin proposal counted more than 34 percent of all coins, roughly 6.5 to 6.9 million BTC, with exposed public keys, including about 1.7 million in ancient addresses widely believed to be Satoshi's. Those are the coins a future quantum computer could target.How Close Is the Threat
Not close, by current hardware. Estimates for cracking Bitcoin's curve range from a couple of thousand logical qubits to break one key slowly, up to hundreds of thousands of logical qubits to do it inside a short window, which translates to millions of physical qubits once you account for error correction. Today's best machines have on the order of hundreds to low thousands of physical qubits, with error rates that make stable logical qubits scarce. One forecast puts the odds of a cryptographically relevant quantum computer at about one in six by 2035, near 30 percent by 2040, and around 60 percent by 2050. So this is a years-to-decades problem, not a next-quarter one.Why 2026 Changed the Conversation
Two things made it less abstract this year. First, researchers, including a Google team, suggested breaking these signatures might take fewer quantum resources than once assumed, and someone claimed a bounty for cracking a small elliptic-curve key on real quantum hardware. That sharpened fears about harvest now, decrypt later, where attackers note exposed keys today and wait for the hardware. Second, Bitcoin developers stopped just talking. In February, a proposal called BIP-360 added the network's first quantum-resistant address type. Two months later, BIP-361 went further, sketching a plan to migrate the vulnerable coins to safe addresses on a deadline.The Hard Choice Bitcoin Faces
This is where it gets uncomfortable, and political. A migration only works if everyone moves their coins to quantum-safe addresses before a cutoff. But some of those vulnerable coins cannot move, because the owners are gone, keys lost, or, in the famous case, Satoshi has never touched them. So the community faces a genuine dilemma. Set a hard deadline and the network could freeze millions of unmovable coins forever, including Satoshi's, to keep them out of a future attacker's hands. Or leave them spendable and accept that one day a quantum computer might simply take them. Freeze or risk theft, there is no clean third option, and a BIP co-author estimated a full migration would take about seven years once consensus forms.What It Means For Investors and Holders
For everyday holders, the practical advice is calm and concrete. Use a modern wallet, do not reuse addresses, and the standard hashed address keeps your public key hidden until you spend, which removes most of the exposure. The bigger market questions are about the old, exposed coins and the politics of migration, since a messy freeze debate could rattle confidence long before any quantum computer is built. Watch the timeline of qubit progress, where error-corrected logical qubits are the number that matters, not raw qubit counts, and watch whether Bitcoin can coordinate a smooth upgrade. The technology risk is slow. The coordination risk is the nearer one.FAQ
Will quantum computers steal my Bitcoin soon?Almost certainly not soon. The hardware needed is many years away by mainstream estimates, and if you use a normal modern wallet without reusing addresses, your public key is not even exposed. The realistic worry is for old, exposed coins, not a typical user's wallet.
Can't Bitcoin just upgrade and be safe?
It can add quantum-resistant signatures, and it is starting to with new address types. The hard part is not the cryptography, it is getting millions of holders to move their coins before a deadline, and deciding what to do about coins that can never move, like lost or Satoshi-era ones.
Does this affect other crypto too?
Yes. Any chain that uses the same kind of elliptic-curve signatures, which is most of them including Ethereum, faces the same exposed-key risk. Bitcoin gets the headlines, but quantum resistance is an industry-wide migration, not a Bitcoin-only one.