Quantum Risk: 6.51M BTC Vulnerable by 2025

At a Glance

• Satoshi Nakamoto’s approximately 1.1 million Bitcoin, valued between $67 billion and $124 billion, is increasingly viewed as a potential target for quantum computers.
• Early Bitcoin addresses used by Satoshi, known as Pay-to-Public-Key (P2PK), permanently expose the public key on the blockchain, unlike modern addresses that reveal it only upon spending.
• Quantum computers, particularly when running Shor’s algorithm, can efficiently reverse-engineer these exposed public keys to find the corresponding private keys, thus enabling theft.
• The development of cryptographically relevant quantum computers is accelerating, with estimates suggesting Q-Day—when such capabilities become reality—could be within years rather than decades.
• A report found that over 6.5 million Bitcoin are in vulnerable addresses, with a significant portion, including Satoshi’s early holdings, in legacy formats that are permanently exposed.
• The transition to quantum-safe cryptography (PQC) is underway, but for Bitcoin, this would necessitate a major network upgrade, likely a soft fork, to introduce new, secure address types.

The Quantum Threat to Satoshi’s Bitcoin Stash

Satoshi Nakamoto’s estimated 1.1 million Bitcoin (BTC), often dubbed the crypto world’s ultimate lost treasure, remains dormant on the blockchain. This staggering hoard, with a current market value ranging from approximately $67 billion to $124 billion, has achieved legendary status. However, a growing number of cryptographers and physicists now view this massive cache not just as a historical curiosity but as a significant, multibillion-dollar security risk. The threat doesn’t stem from traditional cyberattacks like hacking or server breaches, but from the nascent field of quantum computing.

As quantum machines evolve from theoretical concepts in research labs to functional prototypes, they present a potential danger to existing cryptographic systems. This includes the encryption safeguarding Satoshi’s coins, the broader Bitcoin network, and even significant portions of the global financial infrastructure. The development of both quantum computers and quantum-resistant defenses represents a critical and heavily funded technological race. Understanding this evolving landscape is crucial for anyone involved in digital assets.

Legacy Bitcoin Addresses as Prime Quantum Targets

The vulnerability of Bitcoin addresses to quantum attacks varies significantly based on their type. Satoshi Nakamoto’s early transactions in 2009 and 2010 utilized a legacy address format that poses a unique risk.

Most Bitcoin today is secured by Pay-to-Public-Key-Hash (P2PKH) addresses, recognizable by their starting digit 1, or newer SegWit addresses beginning with bc1. In these modern address structures, the blockchain stores only a cryptographic hash of the public key, not the full key itself. The actual public key is only revealed to the network at the moment of a transaction.

💡 Think of a bank’s secure drop box: the address hash is like the mail slot, visible and accessible to all. The public key, however, is akin to the locked vault door behind that slot, hidden from view. This lock (the public key) is only exposed when you choose to spend your coins, at which point your private key acts as the key to unlock it for the network.

💡 In stark contrast, Satoshi’s early coins are held in older Pay-to-Public-Key (P2PK) addresses. These legacy formats lack the hashing mechanism; instead, the public key—the lock—is permanently and visibly recorded on the blockchain for anyone to see.

While this poses no threat to classical computers, which still find it virtually impossible to derive a private key from a public key, it is a significant vulnerability for quantum computers. An exposed public key becomes a clear blueprint, an open invitation for a quantum machine to effectively pick the lock.

Shor’s Algorithm: The Achilles’ Heel of Bitcoin’s Encryption

Bitcoin’s security fundamentally relies on the Elliptic Curve Digital Signature Algorithm (ECDSA). This cryptographic system is built upon a mathematical principle: it is computationally simple to derive a public key from a private key (via multiplication on an elliptic curve), but exceedingly difficult for classical computers to reverse this process and find the private key from the public key. This is known as the Elliptic Curve Discrete Logarithm Problem.

Classical computers can only attempt to solve this through brute force, a process of guessing trillions upon trillions of possible keys. The sheer scale of Bitcoin’s key space (2^256) makes this approach unfeasible, even for the most powerful supercomputers, ensuring Bitcoin’s security against current and future classical computation.

Quantum computers operate differently. Instead of guessing, they calculate using quantum principles. Shor’s algorithm, developed in 1994, is a theoretical quantum algorithm designed specifically to tackle problems like the Elliptic Curve Discrete Logarithm Problem. When run on a sufficiently powerful quantum computer, Shor’s algorithm can exploit quantum superposition to efficiently identify the mathematical patterns within the elliptic curve problem.

In essence, this algorithm can take an exposed public key and, within a matter of hours or days, reverse-engineer it to determine the unique private key that generated it. An attacker wouldn’t need to breach any servers; they could simply collect the openly available P2PK public keys from the blockchain, input them into a quantum computer, and retrieve the corresponding private keys to authorize and execute transactions, potentially moving assets like Satoshi’s massive holdings.

💡 The estimated computational power required to break Bitcoin’s current encryption is thought to be around 2,330 stable logical qubits. Due to the noise and error-proneness of current qubits, experts project that over a million physical qubits might be needed to construct these stable logical ones through error correction.

The Approaching Q-Day: A Shrinking Timeline

The term Q-Day signifies the hypothetical moment when a quantum computer achieves the capability to break current encryption standards. For a long time, this was considered a concern for 10-20 years in the future, but this timeline is rapidly contracting as quantum technology advances.

The significant number of physical qubits needed to achieve a smaller number of stable logical qubits is due to the necessity of quantum error correction. Qubits are inherently fragile, highly susceptible to environmental disturbances like vibrations, temperature fluctuations, and radiation, which can cause them to decohere and introduce errors into calculations. To perform complex computations, such as breaking ECDSA, stable logical qubits are essential. Creating a single logical qubit often requires the integration of hundreds or even thousands of physical qubits, utilizing sophisticated error-correcting codes to maintain computational integrity.

The race to build a cryptographically relevant quantum computer is intensifying:

• Companies like Quantinuum, Rigetti, and IonQ, alongside tech giants such as Google and IBM, are actively pursuing aggressive quantum development roadmaps.
• Rigetti, for instance, aims to deliver a system with over 1,000 qubits by 2027.
• This publicly disclosed progress does not account for potentially advanced, classified research conducted by nation-states. The first entity to reach Q-Day could possess unprecedented access to sensitive global financial and intelligence data.

Therefore, the development and deployment of quantum-resistant defenses must precede the realization of such a powerful attack capability.

Millions of Bitcoin at Risk from Quantum Attacks

While Satoshi’s wallet represents the most significant single target, it is far from the only Bitcoin vulnerable to quantum threats. An October 2025 report by the Human Rights Foundation analyzed the entire Bitcoin blockchain for quantum vulnerabilities, revealing alarming findings.

• Approximately 6.51 million BTC were identified as vulnerable to long-range quantum attacks.
• Of this amount, 1.72 million BTC are held in very early address types, presumed to be dormant or lost. This category includes Satoshi’s estimated 1.1 million BTC, much of which resides in legacy P2PK addresses.
• An additional 4.49 million BTC are also vulnerable but could potentially be secured through migration. These funds likely belong to active users.

The vulnerability of the 4.49 million BTC stems from a common practice known as address reuse. Users who employed modern P2PKH addresses made the mistake of receiving new funds into an address after they had already spent from it, thereby permanently exposing the public key on the blockchain. This effectively transforms an otherwise modern wallet into a target as vulnerable as Satoshi’s legacy P2PK addresses.

Should a malicious actor achieve Q-Day first, the act of moving Satoshi’s coins would serve as undeniable proof of a successful quantum breach. Such an event would instantly signal a fundamental compromise of Bitcoin’s security, likely triggering widespread market panic, an exodus from exchanges, and an existential crisis for the entire cryptocurrency ecosystem.

💡 A significant concern in the quantum computing space is the harvest now, decrypt later tactic. Malicious actors are already collecting encrypted data, including blockchain public keys and internet traffic, with the explicit intention of decrypting it in the future once quantum computing capabilities mature.

Transitioning Bitcoin to Quantum-Safe Protection

The broader cryptographic community is actively working on solutions to mitigate the quantum threat. The primary path forward is post-quantum cryptography (PQC). PQC encompasses a new generation of encryption algorithms based on complex mathematical problems believed to be resistant to attacks from both classical and quantum computers.

Many PQC algorithms move away from elliptic curves and instead utilize mathematical structures like lattice-based cryptography. The U.S. National Institute of Standards and Technology (NIST) has been instrumental in leading this standardization effort.

• In August 2024, NIST published the initial finalized PQC standards.
• A key standard for cryptographic signatures is ML-DSA (Module-Lattice-based Digital Signature Algorithm), part of the CRYSTALS-Dilithium suite.
• The wider technology sector is already embracing these new standards. By late 2025, OpenSSH 10.0 adopted a PQC algorithm as its default, and Cloudflare reported that a majority of its web traffic is now protected by PQC.

For Bitcoin, implementing quantum-safe protection would necessitate a substantial network-wide software upgrade, most likely through a soft fork. This upgrade would introduce new, quantum-resistant address types, such as the proposed P2PQC addresses. Crucially, it would not compel users to migrate their funds immediately. Instead, individuals could voluntarily move their Bitcoin from older, vulnerable addresses to these new, secure ones, mirroring the rollout process of the SegWit upgrade.

Expert Summary

The significant holdings of Satoshi Nakamoto, along with millions of other Bitcoin, are potentially vulnerable to future quantum computers due to the use of legacy address formats that permanently expose public keys. While quantum computing is still developing, the accelerating progress suggests that a cryptographically relevant machine could emerge within years. The crypto community is actively researching and developing post-quantum cryptography (PQC) as a solution, but integrating these new standards into Bitcoin would require a major network upgrade.