What happens to Satoshi’s 1M Bitcoin if quantum computers go live?

Why Satoshi’s wallet is simply a premier quantum people

Satoshi’s 1.1-million-BTC wallet is progressively viewed arsenic a imaginable quantum vulnerability arsenic researchers measure however advancing computing powerfulness could impact aboriginal Bitcoin addresses.

Satoshi Nakamoto’s estimated 1.1 cardinal Bitcoin (BTC) is often described arsenic the crypto world’s eventual “lost treasure.” It sits connected the blockchain similar a dormant volcano, a integer shade vessel that has not seen an onchain transaction since its creation. This monolithic stash, worthy astir $67 billion-$124 cardinal astatine existent marketplace rates, has go a legend.

But for a increasing fig of cryptographers and physicists, it is besides viewed arsenic a multibillion-dollar information risk. The menace is not a hacker, a server breach oregon a mislaid password; it is the emergence of an wholly caller signifier of computation: quantum computing.

As quantum machines determination from theoretical probe labs to almighty moving prototypes, they airs a imaginable menace to existing cryptographic systems. This includes the encryption that protects Satoshi’s coins, the wider Bitcoin web and parts of the planetary fiscal infrastructure.

This is not a distant “what if.” The contention to physique some a quantum machine and a quantum-resistant defense is 1 of the astir captious and well-funded technological efforts of our time. Here is what you request to know.

Why Satoshi’s aboriginal wallets are casual quantum targets

Most modern Bitcoin wallets fell the nationalist cardinal until a transaction occurs. Satoshi’s bequest pay-to-public-key (P2PK) addresses bash not, and their nationalist keys are permanently exposed onchain.

To recognize the threat, it is important to admit that not each Bitcoin addresses are created equal. The vulnerability lies successful the benignant of code Satoshi utilized successful 2009 and 2010.

Most Bitcoin contiguous is held successful pay-to-public-key-hash (P2PKH) addresses, which commencement with “1,” oregon successful newer SegWit addresses that statesman with “bc1.” In these code types, the blockchain does not store the afloat nationalist cardinal erstwhile coins are received; it stores lone a hash of the nationalist key, and the existent nationalist cardinal is revealed lone erstwhile the coins are spent.

Think of it similar a bank’s driblet box. The code hash is the message slot; anyone tin spot it and driblet wealth in. The nationalist cardinal is the locked metallic doorway down the slot. No 1 tin spot the fastener oregon its mechanism. The nationalist cardinal (the “lock”) is lone revealed to the web astatine the 1 and lone infinitesimal you determine to walk the coins, astatine which constituent your backstage cardinal “unlocks” it.

Satoshi’s coins, however, are stored successful overmuch older P2PK addresses. In this bequest format, determination is nary hash. The nationalist cardinal itself, the fastener successful our analogy, is visibly and permanently recorded connected the blockchain for everyone to see.

For a classical computer, this does not matter. It is inactive practically intolerable to reverse-engineer a nationalist cardinal to find the corresponding backstage key. But for a quantum computer, that exposed nationalist cardinal is simply a elaborate blueprint. It is an unfastened invitation to travel and prime the lock.

How Shor’s algorithm lets quantum machines interruption Bitcoin

Bitcoin’s security, Elliptic Curve Digital Signature Algorithm (ECDSA), relies connected mathematics that is computationally infeasible for classical computers to reverse. Shor’s algorithm, if tally connected a sufficiently almighty quantum computer, is designed to interruption that math.

Bitcoin’s information model is built connected ECDSA. Its spot comes from a one-way mathematical assumption. It is casual to multiply a backstage cardinal by a constituent connected a curve to deduce a nationalist key, but it is fundamentally intolerable to instrumentality that nationalist cardinal and reverse the process to find the backstage key. This is known arsenic the Elliptic Curve Discrete Logarithm Problem.

A classical machine has nary known mode to “divide” this operation. Its lone enactment is brute force, guessing each imaginable key. The fig of imaginable keys is 2256, a fig truthful immense it exceeds the fig of atoms successful the known universe. This is wherefore Bitcoin is harmless from each classical supercomputers connected Earth, present and successful the future.

A quantum machine would not guess. It would calculate.

The instrumentality for this is Shor’s algorithm, a theoretical process developed successful 1994. On a sufficiently powerful quantum computer, the algorithm tin usage quantum superposition to find the mathematical patterns, specifically the period, hidden wrong the elliptic curve problem. It tin instrumentality an exposed nationalist cardinal and, successful a substance of hours oregon days, reverse-engineer it to find the azygous backstage cardinal that created it.

An attacker would not request to hack a server. They could simply harvest the exposed P2PK nationalist keys from the blockchain, provender them into a quantum machine, and hold for the backstage keys to beryllium returned. Then they could motion a transaction and determination Satoshi’s 1.1 cardinal coins.

Did you know? It is estimated that breaking Bitcoin’s encryption would necessitate a instrumentality with astir 2,330 unchangeable logical qubits. Because existent qubits are noisy and error-prone, experts judge a fault-tolerant strategy would request to harvester much than 1 cardinal carnal qubits conscionable to make those 2,330 unchangeable ones.

How adjacent are we to a Q-Day?

Firms similar Rigetti and Quantinuum are racing to physique a cryptographically applicable quantum computer, and the timeline is shrinking from decades to years.

“Q-Day” is the hypothetical infinitesimal erstwhile a quantum machine becomes susceptible of breaking existent encryption. For years, it was considered a distant “10-20-year” problem, but that timeline is present rapidly compressing.

The crushed we request 1 cardinal carnal qubits to get 2,330 logical ones is quantum mistake correction. Qubits are incredibly fragile. They are noisy and delicate to adjacent flimsy vibrations, somesthesia changes oregon radiation, which tin origin them to decohere and suffer their quantum state, starring to errors successful calculation.

To execute a calculation arsenic analyzable arsenic breaking ECDSA, you request unchangeable logical qubits. To make a azygous logical qubit, you whitethorn request to harvester hundreds oregon adjacent thousands of carnal qubits into an error-correcting code. This is the system’s overhead for maintaining stability.

We are successful a rapidly accelerating quantum race.

• Companies specified arsenic Quantinuum, Rigetti and IonQ, on with tech giants specified arsenic Google and IBM, are publically pursuing assertive quantum roadmaps.

• Rigetti, for example, remains connected way to scope a 1,000-plus qubit strategy by 2027.

• This public-facing advancement does not relationship for classified state-level research. The archetypal federation to scope Q-Day could theoretically clasp a maestro cardinal to planetary fiscal and quality data.

The defense, therefore, indispensable beryllium built and deployed earlier the onslaught becomes possible.

Why millions of Bitcoin are exposed to quantum attacks

A 2025 Human Rights Foundation study recovered that 6.51 cardinal BTC is successful susceptible addresses, with 1.72 cardinal of it, including Satoshi’s, considered mislaid and unmovable.

Satoshi’s wallet is the biggest prize, but it is not the lone one. An October 2025 report from the Human Rights Foundation analyzed the full blockchain for quantum vulnerability.

The findings were stark:

• 6.51 cardinal BTC is susceptible to long-range quantum attacks.

• This includes 1.72 cardinal BTC successful precise aboriginal code types that are believed to beryllium dormant oregon perchance lost, including Satoshi’s estimated 1.1 cardinal BTC, galore of which is successful P2PK addresses.

• An further 4.49 cardinal BTC is susceptible but could beryllium secured by migration, suggesting their owners are apt inactive capable to act.

This 4.49 cardinal BTC stash belongs to users who made a captious mistake: code reuse. They utilized modern P2PKH addresses, but aft spending from them (which reveals the nationalist key), they received caller funds backmost to that aforesaid address. This was communal signifier successful the aboriginal 2010s. By reusing the address, they permanently exposed their nationalist cardinal onchain, turning their modern wallet into a people conscionable arsenic susceptible arsenic Satoshi’s.

If a hostile histrion were the archetypal to scope Q-Day, the elemental enactment of moving Satoshi’s coins would service arsenic impervious of a palmy attack. It would instantly amusement that Bitcoin’s cardinal information had been broken, triggering market-wide panic, a slope tally connected exchanges and an existential situation for the full crypto ecosystem.

Did you know? A communal maneuver being discussed is “harvest now, decrypt later.” Malicious actors are already signaling encrypted data, specified arsenic net postulation and blockchain nationalist keys, with the volition of decrypting it years from present erstwhile they person a quantum computer.

How Bitcoin could power to quantum-safe extortion

The full tech satellite is moving to caller quantum-resistant standards. For Bitcoin, this would necessitate a large web upgrade, oregon fork, to a caller algorithm.

The cryptographic assemblage is not waiting for this to happen. The solution is post-quantum cryptography (PQC), a caller procreation of encryption algorithms built connected antithetic and much analyzable mathematical problems that are believed to beryllium unafraid against some classical and quantum computers.

Instead of elliptic curves, galore PQC algorithms trust connected structures specified arsenic lattice-based cryptography. The US National Institute of Standards and Technology has been starring this effort.

• In August 2024, the National Institute of Standards and Technology published the archetypal finalized PQC standards.

• The cardinal 1 for this treatment is ML-DSA (Module-Lattice-based Digital Signature Algorithm), portion of the CRYSTALS-Dilithium standard.

• The wider tech satellite is already adopting it. By precocious 2025, OpenSSH 10.0 had made a PQC algorithm its default, and Cloudflare reported that a bulk of its web postulation is present PQC-protected.

For Bitcoin, the way guardant would beryllium a network-wide bundle update, astir surely implemented arsenic a brushed fork. This upgrade would present caller quantum-resistant code types, specified arsenic projected “P2PQC” addresses. It would not unit anyone to move. Instead, users could voluntarily nonstop their funds from older, susceptible addresses, specified arsenic P2PKH oregon SegWit, to these caller unafraid ones. This attack would beryllium akin to however the SegWit upgrade was rolled out.