If Quantum Computing Breaks Through, What Happens to Satoshi’s Bitcoin?

Satoshi Nakamoto‘s estimated 1.1 million Bitcoin (BTC) is often described as the crypto world’s ultimate “lost treasure.” It sits on the blockchain like a dormant volcano, a digital ghost ship that has not seen an onchain transaction since its creation. This massive stash, worth approximately $67 billion-$124 billion at current market rates, has become a legend.

But for a growing number of cryptographers and physicists, it is also viewed as a multibillion-dollar security risk. The threat is not a hacker, a server breach or a lost password; it is the emergence of an entirely new form of computation: quantum computing.

As quantum machines move from theoretical research labs to powerful working prototypes, they pose a potential threat to existing cryptographic systems. This includes the encryption that protects Satoshis coins, the wider Bitcoin network and parts of the global financial infrastructure.

This is not a distant “what if.” The race to build both a quantum computer and a quantum-resistant defense is one of the most critical and well-funded technological efforts of our time. Here is what you need to know.

Why Satoshis early wallets are easy quantum targets

To understand the threat, it is important to recognize that not all Bitcoin addresses are created equal. The vulnerability lies in the type of address Satoshi used in 2009 and 2010.

Most Bitcoin today is held in pay-to-public-key-hash (P2PKH) addresses, which start with “1,” or in newer SegWit addresses that begin with “bc1.” In these address types, the blockchain does not store the full public key when coins are received; it stores only a hash of the public key, and the actual public key is revealed only when the coins are spent.

Satoshis coins, however, are stored in much older P2PK addresses. In this legacy format, there is no hash. The public key itself, the lock in our analogy, is visibly and permanently recorded on the blockchain for everyone to see.

For a classical computer, this does not matter. It is still practically impossible to reverse-engineer a public key to find the corresponding private key. But for a quantum computer, that exposed public key is a detailed blueprint. It is an open invitation to come and pick the lock.

How Shors algorithm lets quantum machines break Bitcoin

Bitcoins security model is built on ECDSA. Its strength comes from a one-way mathematical assumption. It is easy to multiply a private key by a point on a curve to derive a public key, but it is essentially impossible to take that public key and reverse the process to find the private key. This is known as the Elliptic Curve Discrete Logarithm Problem.

A classical computer has no known way to “divide” this operation. Its only option is brute force, guessing every possible key. The number of possible keys is 2256, a number so vast it exceeds the number of atoms in the known universe. This is why Bitcoin is safe from all classical supercomputers on Earth, now and in the future.

A quantum computer would not guess. It would calculate.

The tool for this is Shors algorithm, a theoretical process developed in 1994. On a sufficiently powerful quantum computer, the algorithm can use quantum superposition to find the mathematical patterns, specifically the period, hidden within the elliptic curve problem. It can take an exposed public key and, in a matter of hours or days, reverse-engineer it to find the single private key that created it.

An attacker would not need to hack a server. They could simply harvest the exposed P2PK public keys from the blockchain, feed them into a quantum machine, and wait for the private keys to be returned. Then they could sign a transaction and move Satoshis 1.1 million coins.

How close are we to a Q-Day？

“Q-Day” is the hypothetical moment when a quantum computer becomes capable of breaking current encryption. For years, it was considered a distant “10-20-year” problem, but that timeline is now rapidly compressing.

The reason we need 1 million physical qubits to get 2,330 logical ones is quantum error correction. Qubits are incredibly fragile. They are noisy and sensitive to even slight vibrations, temperature changes or radiation, which can cause them to decohere and lose their quantum state, leading to errors in calculation.

To perform a calculation as complex as breaking ECDSA, you need stable logical qubits. To create a single logical qubit, you may need to combine hundreds or even thousands of physical qubits into an error-correcting code. This is the systems overhead for maintaining stability.

We are in a rapidly accelerating quantum race.

• Companies such as Quantinuum, Rigetti and IonQ, along with tech giants such as Google and IBM, are publicly pursuing aggressive quantum roadmaps.
• Rigetti, for example, remains on track to reach a 1,000-plus qubit system by 2027.
• This public-facing progress does not account for classified state-level research. The first nation to reach Q-Day could theoretically hold a master key to global financial and intelligence data.

The defense, therefore, must be built and deployed before the attack becomes possible.

Why millions of Bitcoin are exposed to quantum attacks

Satoshis wallet is the biggest prize, but it is not the only one. An October 2025 report from the Human Rights Foundation analyzed the entire blockchain for quantum vulnerability.

The findings were stark:

• 6.51 million BTC is vulnerable to long-range quantum attacks.
• This includes 1.72 million BTC in very early address types that are believed to be dormant or potentially lost, including Satoshis estimated 1.1 million BTC, many of which is in P2PK addresses.
• An additional 4.49 million BTC is vulnerable but could be secured by migration, suggesting their owners are likely still able to act.

This 4.49 million BTC stash belongs to users who made a critical mistake: address reuse. They used modern P2PKH addresses, but after spending from them (which reveals the public key), they received new funds back to that same address. This was common practice in the early 2010s. By reusing the address, they permanently exposed their public key onchain, turning their modern wallet into a target just as vulnerable as Satoshis.

If a hostile actor were the first to reach Q-Day, the simple act of moving Satoshi‘s coins would serve as proof of a successful attack. It would instantly show that Bitcoin’s fundamental security had been broken, triggering market-wide panic, a bank run on exchanges and an existential crisis for the entire crypto ecosystem.

How Bitcoin could switch to quantum-safe protection

The cryptographic community is not waiting for this to happen. The solution is post-quantum cryptography (PQC), a new generation of encryption algorithms built on different and more complex mathematical problems that are believed to be secure against both classical and quantum computers.

Instead of elliptic curves, many PQC algorithms rely on structures such as lattice-based cryptography. The US National Institute of Standards and Technology has been leading this effort.

• In August 2024, the National Institute of Standards and Technology published the first finalized PQC standards.
• The key one for this discussion is ML-DSA (Module-Lattice-based Digital Signature Algorithm), part of the CRYSTALS-Dilithium standard.
• The wider tech world is already adopting it. By late 2025, OpenSSH 10.0 had made a PQC algorithm its default, and Cloudflare reported that a majority of its web traffic is now PQC-protected.

For Bitcoin, the path forward would be a network-wide software update, almost certainly implemented as a soft fork. This upgrade would introduce new quantum-resistant address types, such as proposed “P2PQC” addresses. It would not force anyone to move. Instead, users could voluntarily send their funds from older, vulnerable addresses, such as P2PKH or SegWit, to these new secure ones. This approach would be similar to how the SegWit upgrade was rolled out.