USDBitcoin quantum threat draws renewed warnings from researchers and industry figures
Wallet exposure, migration timing and governance questions move to the forefront
TL;DR
- Bitcoin’s quantum computing risk is being treated more seriously, with the clearest concern centered on exposed wallet cryptography.
- Public estimates and industry commentary say current quantum hardware is not yet capable of breaking Bitcoin at scale.
- Bitcoin mining remains far less practical to attack with quantum computing than wallets, while migration planning and governance remain unresolved.
We’ve launched the all-new COIN360 Perp DEX, built for traders who move fast!
Trade 130+ assets with up to 100× leverage, enjoy instant order placement and low-slippage swaps, and earn USDC passive yield while climbing the leaderboard. Your trades deserve more than speed — they deserve mastery.
Bitcoin’s quantum threat is being treated more seriously after new estimates, expert warnings and industry commentary converged on the view that the risk is real but still medium- to long-term, with the main concern centered on wallet cryptography rather than Bitcoin mining. Information released between April 6 and April 8, 2026 showed broad agreement that current quantum hardware is not yet capable of breaking Bitcoin at scale, while pressure is increasing on the Bitcoin community to prepare a migration path before the hardware is ready.
A GSR Research survey of 26 quantum computing experts estimated the odds of a cryptographically relevant quantum computer emerging within 10 years at 28% to 49%, rising to 51% to 70% within 15 years. The survey put midpoint estimates at 38% by year 10, 61% by year 15, 77% by year 20 and 87% by year 30.
The latest technical estimates said a quantum attack on Bitcoin’s elliptic-curve cryptography could require fewer than 1,200 logical qubits and 90 million Toffoli gates in one formulation, and fewer than 1,450 logical qubits and 70 million Toffoli gates in another. Under superconducting assumptions with 10^-3 physical error rates and planar connectivity, the attack could in principle run in minutes with fewer than 500,000 physical qubits.
John M. Martinis, described as a Nobel Prize–winning physicist who helped build Google’s quantum computers, said Bitcoin could be among the earliest real-world targets of quantum attacks because breaking cryptography is one of the easier applications for quantum computing compared with many other proposed uses. Martinis called the latest research “a very well-written paper” and added, “It’s not something that has zero probability; people have to deal with this.” He viewed the engineering timeline for such a machine at five to 10 years.
Adam Back said current quantum computers do not yet pose a practical threat to Bitcoin, but argued that disagreement over the exact timeline should not delay preparation. Back said, “We don’t have to agree about the timeline for quantum computers to become powerful enough to be a threat, because the prudent thing to do is to prepare Bitcoin and give people the option to migrate their keys to a quantum ready format, and to have, let’s say, a decade in which to do that.” He also said current hardware “generally doesn’t have any error correction” and pointed to post-quantum cryptography research by a 20-person team and experiments on Blockstream’s Liquid network.
Wallet risk and migration timing dominate the discussion
The clearest near-term concern is exposed wallet cryptography rather than Bitcoin mining. Gautam Chhugani and Bernstein said quantum risk was “credible but manageable” and should be approached as a system upgrade rather than a collapse scenario. Chhugani said, “Quantum should be seen as a medium to long term system upgrade cycle rather than a risk.” Bernstein also said exposure was concentrated in about 1.7 million BTC held in older legacy wallets and described the likely transition window as three to five years.
A separate governance-focused analysis said the deeper problem may be Bitcoin’s decision-making process rather than the cryptography alone. Zach Pandl, head of research at Grayscale, said, “Public blockchains do not have CTOs; they are global communities governed by consensus.” The same analysis said about 6.9 million BTC sit in wallets whose public keys are already exposed on-chain, including about 1 million BTC believed to belong to Satoshi Nakamoto.
That analysis outlined three response options: burning exposed coins, doing nothing, or slowing their release by limiting the rate at which vulnerable addresses can spend. Bitcoin’s UTXO model, proof-of-work design, lack of native smart contracts and address behavior were described as making Bitcoin relatively less vulnerable than more expressive chains in engineering terms, while still leaving exposed coins at risk.
Samson Mow, identified as Jan3 founder, warned on April 6, 2026 that moving too quickly to post-quantum signatures could create new risks before a quantum machine ever arrives. Mow argued that users could get “pwned by normal computers” if Bitcoin adopts immature protections too quickly.
Former Bitcoin developer Jonas Schnelli said post-quantum signatures are likely to be 10x to 125x larger than current ones, a change that could sharply reduce throughput. Mow said a rushed migration could trigger “Blocksize Wars 2.0,” while also saying truly dangerous quantum computers may not exist for another 10–20 years.
Quantum mining attacks remain far less practical
Bitcoin mining is a much weaker quantum attack thesis than wallets. A research-focused analysis released on April 8, 2026 said using Grover’s algorithm against Bitcoin mining at meaningful scale would require a machine fleet so large that it would move beyond commercial feasibility into physical impossibility.
Peter Gutmann of the University of Auckland and Stephan Neuhaus challenged the credibility of many past quantum factoring “breakthroughs,” saying they replicated major demonstrations with low-tech stand-ins including a 1981 VIC-20 home computer, an abacus and a dog named Scribble trained to bark three times.
Their critique said several demonstrations used rigged numbers with easy-to-guess prime factors or shifted key work into classical preprocessing before handing a simplified task to a quantum machine. One example involving claims tied to RSA-2048 said 10 proof numbers were solved on a VIC-20 emulator in about 16 seconds each using a method adapted by John von Neumann from an abacus technique in 1945. They proposed a stricter standard requiring random numbers, no preprocessing and factors hidden from experimenters.
Public hardware progress remains well short of Bitcoin-breaking scale
Public quantum progress has advanced in below-threshold error correction, small logical-qubit demonstrations and deeper circuits with less noise, but no public system was described as close to the logical scale, fault tolerance or gate depth required for a real secp256k1 attack. Google’s Willow chip was cited at 105 physical qubits, while the most advanced public logical-qubit demonstrations were described as operating in the tens rather than the thousands.
IBM said its systems can run some circuits with more than 5,000 two-qubit gates and has a roadmap to a 200-logical-qubit fault-tolerant system by 2029. Quantinuum reported 48 error-corrected logical qubits and 64 error-detected logical qubits from 98 physical qubits, along with 50 error-detected logical qubits on Helios at better-than-break-even performance. Microsoft and Atom Computing reported 24 entangled logical qubits and computation with 28 logical qubits on neutral-atom hardware.
NIST finalized its first three post-quantum cryptography standards in August 2024 and said organizations should begin migrating now, with vulnerable algorithms moving toward deprecation and removal by 2035. DARPA’s Quantum Benchmarking Initiative is targeting a machine whose computational value exceeds its cost by 2033 while still validating architectures rather than certifying any utility-scale system.
Advanced quantum development also remains expensive and concentrated. PsiQuantum raised $1 billion in 2025 and was also tied to a separate A$940 million public package in Australia for the Brisbane build. Quantinuum raised roughly $300 million in early 2024 and later secured additional financing in 2025. Illinois announced a $500 million quantum park plan and a reported $200 million tax incentive package tied to the Chicago site. A first-generation cryptographically relevant machine was described as likely costing in the low single-digit billions of dollars.
The long-term access question remains unsettled. One historical comparison cited Whitfield Diffie and Martin Hellman estimating in 1977 that brute-forcing DES would cost about $20 million per day, the EFF’s Deep Crack machine breaking DES in 56 hours in 1998 for under $250,000, and the COPACOBANA machine pushing the cost below $10,000 by 2006. The same discussion said that even if Google built a Bitcoin-cracking machine in 2029, bad actors might still be more than 30 years away from gaining similar capability.
A comparative discussion said Ethereum faced five attack vectors worth more than $100 billion in combined exposure, covering account keys, admin keys on stablecoins, smart contract code, consensus mechanisms and data availability. Justin Drake estimated at least a 10% chance of quantum key recovery by 2032.
FAQ
What is the main Bitcoin quantum risk?
Exposed wallet cryptography is the primary risk described.
How much legacy Bitcoin did Bernstein flag?
Bernstein said about 1.7 million BTC sat in older legacy wallets.
How much Bitcoin was described as publicly exposed on-chain?
About 6.9 million BTC was described as publicly exposed on-chain.
Can current public quantum hardware break Bitcoin?
No public system described here was close to that threshold.
This article has been refined and enhanced by ChatGPT.
