Quantum Computers Could Steal $75B of Satoshi Bitcoin. Here’s the New Fix

The person who invented Bitcoin may be the one person quantum computing hurts the most.

Not because of anything he did wrong. Satoshi Bitcoin wallets created in 2009 may become the biggest long-term target for quantum computers. No one can warn Satoshi. No one knows if Satoshi is even alive. And the window to fix this before quantum computers become a real threat is closing faster than most people realize.

And that’s the actual problem. 

Key Takeaways

• A Google research found that Bitcoin’s encryption could be cracked by a quantum computer with fewer than 500,000 physical qubits, roughly 20x fewer than prior estimates.
• Satoshi Nakamoto’s wallets hold an estimated 1.1 million BTC worth over $75 billion, accounting for over 5% of the total Bitcoin supply.
• Paradigm researcher Dan Robinson proposed PACTs (Provable Address-Control Timestamps) on May 1, 2026, offering a way to protect dormant Bitcoin without moving coins or broadcasting any public signal.
• The threat is real but not immediate. Most experts put practical quantum attacks on Bitcoin in the mid-2030s, with 2029 as an aggressive early estimate.
• Quantum-resistant crypto already exists. Projects like QRL have been live since 2018. Bitcoin and Ethereum are still catching up.

Why Quantum Computers Could Become a Bitcoin Problem

Quantum computers threaten Bitcoin because they could eventually break the cryptographic signatures protecting older wallets. The biggest risk affects dormant addresses with publicly exposed keys, including some linked to Satoshi Nakamoto. 

Bitcoin’s security is built on a form of math called elliptic curve cryptography (ECC). ECC is the mathematical system Bitcoin uses to secure wallets and transactions. When you own Bitcoin, you have a private key (a secret number) and a public key (derived from it). The public key is visible on the blockchain. The private key never is. And the reason this works today is that there’s no known way to reverse-engineer a private key from a public key using normal computers. 

Quantum computers change that math. Using an algorithm called Shor’s algorithm, a sufficiently powerful quantum machine could theoretically reverse engineer and derive the private key. That means it could take control of the wallet.

Google’s Quantum AI team published research showing Bitcoin’s secp256k1 elliptic curve could be broken with fewer than 500,000 physical qubits, dramatically lower than what anyone previously assumed. And the same research estimated a quantum computer could crack a Bitcoin private key in roughly nine minutes, which is just inside Bitcoin’s 10-minute block confirmation window.

Why dormant wallets face the highest risk

Not every Bitcoin wallet carries the same quantum risk. The exposure depends on what type of address format was used and whether the public key is already visible on-chain.

When you send Bitcoin from a wallet, you reveal the public key. That is the moment a quantum computer gets the information it needs to attempt a crack. Wallets that have never made a transaction, especially old P2PK addresses from Bitcoin’s early days, keep their public key permanently exposed in the scriptPubKey itself. 

Satoshi’s wallets are almost all P2PK. The public keys are already out there. They have been since 2009.

All told, approximately 6.5 million BTC sit in permanently exposed or highly vulnerable addresses under BIP-361’s classification. That is a lot of potential for Bitcoin theft if quantum computers get there first.

Could Quantum Computers Steal Satoshi Bitcoin? 

Theoretically, yes. And it’s not a fringe concern.

Satoshi Nakamoto’s estimated 1.1 million BTC is spread across thousands of early addresses, worth around $75 billion at current prices, accounting for more than 5% of Bitcoin’s total 21-million-coin supply. These coins have never moved. Not once since 2009 and 2010.

That is both what makes Satoshi Nakamoto legendary and what makes this a real problem. Because quantum-safe Bitcoin upgrades require wallet owners to voluntarily migrate their funds to new address formats, that migration requires initiating a transaction. If the wallet owner is gone, unreachable, or no longer has the keys, migration is impossible.

And nobody knows where Satoshi is.

Is this an immediate threat?

No. But the runway is shorter than it was two years ago.

No quantum computer today can crack Bitcoin’s encryption. But the trajectory is moving faster than the 2020 consensus assumed. Google flagged 2029 as a potential migration deadline for its own systems, which is a sign even the people building quantum hardware are taking this seriously.

What Are the New Fix Researchers Are Proposing?

On May 1, 2026, Paradigm researcher and general partner Dan Robinson published a proposal called PACTs: Provable Address-Control Timestamps.

Here’s what that actually means.

The problem with most Bitcoin quantum fixes is that they require you to do something publicly on-chain. Move your coins. Broadcast a transaction. Create a record that you are aware and active. That is fine for most wallet holders. But for Satoshi Nakamoto, doing that would be the first on-chain activity in over 15 years. And it would immediately reveal whether the pseudonymous creator is still alive and in control of the keys. 

PACTs offer a different path. A holder can prove they controlled an address before any quantum threat arrives, without broadcasting anything public and without moving a single satoshi.

How the proposal would work

PACTs use three existing Bitcoin tools, combined in a new way:

1. Generate a secret salt. The wallet holder creates a private 256-bit random number (the salt). This never gets published.
2. Sign a BIP-322 message. Using the existing BIP-322 full-message signing standard, the holder produces a cryptographic proof that they control the vulnerable address. This proof, combined with the salt, creates a unique commitment hash.
3. Timestamp the commitment. The commitment hash is submitted to OpenTimestamps, a free, trustless service that batches hashes into a Merkle tree and anchors the root in a Bitcoin OP_RETURN output. This creates a permanent, verifiable timestamp on the Bitcoin blockchain itself. No private data is published. No public key is revealed.

If Bitcoin later implements a protocol-level rule to disable quantum-vulnerable addresses after a deadline, the PACT holder can submit a STARK zk-proof. It’ll allow them to show that they knew the salt and held control of the address before the cutoff date. The rescue transaction is bound to prevent replay attacks. And the private key stays hidden.

The whole process costs nothing and reveals nothing publicly. Robinson described OpenTimestamps as a trustless timestamping service, and noted that Satoshi himself designed Bitcoin as a distributed timestamp server in the 2008 whitepaper. There is a certain irony in using Satoshi’s own invention to protect Satoshi Bitcoin.

Why the Proposal Is Controversial

PACTs are clever. But “clever” and “ready to deploy” are two different things.

Robinson acknowledged the risks plainly. Bitcoin may never implement the sunset. Even if it does, this specific rescue path may not be included. The proposal is designed to give holders optionality, not certainty.

What Is Quantum-Resistant Crypto?

Quantum-resistant crypto refers to blockchain systems or cryptographic algorithms designed to remain secure against attacks from quantum computers. 

Most existing blockchains, including Bitcoin and Ethereum, use ECDSA (Elliptic Curve Digital Signature Algorithm). ECDSA is vulnerable to Shor’s algorithm on a sufficiently powerful quantum machine.

The alternatives that are quantum-safe include lattice-based cryptography, hash-based signatures, and code-based schemes. NIST finalized its first post-quantum cryptography standards in August 2024, including CRYSTALS-Dilithium, Falcon, and SPHINCS+. These are considered the current gold standard for post-quantum blockchain security.

Are other blockchains preparing too?

But to be honest, Bitcoin and Ethereum are still behind. QRL has been quantum-safe since 2018 and remains the most established quantum-resistant chain in production. The major networks are catching up, but quantum cryptography for the biggest blockchains is still unfinished work.

What Happens If Quantum Computers Crack Bitcoin?

The scenario worth thinking through isn’t about someone stealing Satoshi Bitcoin. It’s everything that happens after.

If a cryptographically relevant quantum computer broke even one high-profile wallet, including any of the Satoshi-linked addresses, it would trigger a chain reaction.

Market and trust collapse. The entire value proposition of Bitcoin is that it is unforgeable and censorship-resistant. A successful Bitcoin theft via quantum computing would shatter the foundational assumption. And it’ll result in a credibility crisis for Blockchain security.

Dormant BTC supply shock. Satoshi-era wallets represent over 5% of the total Bitcoin supply. If that amount hit the market at once, the price impact would be severe. It would not just be a dump. It would be a psychological rupture for Bitcoin holders everywhere.

A fork war. The Bitcoin community would face an impossible choice in the wake of an attack. Do you hard-fork to invalidate the quantum-stolen coins, or do you accept that the protocol failed? Neither answer is clean.

Broader crypto contagion. Ethereum, Litecoin, and dozens of other ECDSA-based chains would face the same scrutiny the moment Bitcoin’s encryption broke.

Paolo Ardoino, CEO of Tether, offered a more blunt take on this: “Any bitcoin in lost wallets, including Satoshi’s if not alive, will be hacked and put back in circulation.” He argued the market would absorb it eventually. I am less confident about “eventually.”

Would every Bitcoin wallet be vulnerable?

Not quite, but a few things to get straight:

• Myth: All Bitcoin will face exposure and eventually be stolen if quantum computers arrive. 
  Fact: Only wallets with exposed public keys face direct risk. Modern addresses aren’t directly crackable unless you have transacted.
• Myth: Quantum computers can break Bitcoin’s SHA-256 mining algorithm. 
  Fact: SHA-256 isn’t vulnerable to Shor’s algorithm. Mining security is separate from wallet security. The threat is to ECDSA signatures, not proof-of-work.
• Myth: You are safe as long as you use a hardware wallet. 
  Fact: Hardware wallets still use ECDSA. Cold storage helps with external hacks; it does not help against a quantum attack on the cryptographic layer itself.
• Myth: The quantum threat is already here. 
  Fact: No quantum computer in 2026 can crack Bitcoin’s encryption. The threat is real but several years away under most expert estimates.

How Real Is the Bitcoin Quantum Risk Today? 

I want to be direct about this. We aren’t in a panic moment. We are in a planning moment.

Current quantum computers from IBM, Google, and others operate in the range of 1,000-2,000 physical qubits. Cracking Bitcoin’s encryption requires a machine with somewhere between 100,000 and 500,000 error-corrected qubits, and the error correction hardware does not scale linearly. The gap between an impressive lab demo and actually stealing Satoshi Bitcoin is still large.

CryptoQuant founder Ki Young Ju put it well, Coins that appear perfectly safe today could become spendable by an attacker tomorrow. Not just Satoshi’s, either. Anyone using old address formats falls in the same category.

How Bitcoin Users Can Prepare for a Quantum Future

If you hold Bitcoin and want to reduce your quantum risk exposure today, here’s what you can actually do:

• Avoid address reuse. Every time you reuse a Bitcoin address after spending from it, your public key stays permanently exposed. Use a fresh address for each transaction.
• Move to SegWit or Taproot addresses. These formats keep your public key hidden until you spend. That reduces your exposure window.
• Check your wallet’s address format. If your wallet uses legacy P2PKH or P2PK addresses from before 2012, it is worth migrating to a newer format now, while the window is open.
• Follow BIP-360 progress. BIP-360 proposes a quantum-resistant Pay-to-Quantum-Resistant-Hash (P2QRH) address format for Bitcoin. It is still in early draft, but tracking its development gives you lead time.
• Don’t move funds in a panic. The threat is real but not immediate. Rushed migrations under poor conditions create their own risks.
• For long-term holdings: consider quantum-resistant chains. If blockchain security is a priority for your portfolio, projects like QRL, Algorand (with Falcon-1024), and QANplatform already run on post-quantum cryptographic signatures.

Final Thoughts

The PACTs proposal from Dan Robinson is the most thoughtful attempt I have seen to solve an otherwise unsolvable problem: how do you protect coins belonging to someone who cannot be reached?

The answer it offers is imperfect but honest. Stake your claim privately. Timestamp the proof. Wait. If the protocol ever creates a rescue path, you are ready. If it does not, you lose nothing but a few minutes of setup time.

The future security of Satoshi Bitcoin may become one of the defining challenges of the quantum computing era, especially if Bitcoin’s original wallets remain permanently exposed. 

What makes this situation genuinely strange is that the Satoshi Bitcoin problem is also a philosophical problem for Bitcoin itself. The “your keys, your coins” principle is absolute, until quantum computers make it meaningless. A hard-coded rule that protects holders becomes a liability when the holder is gone, and the attacker is a machine.

Blockchain security has never faced a threat quite like this. The math that protects Bitcoin was designed before practical quantum computing was imaginable. Now both things exist in the same timeline.

FAQs