Is Bitcoin at Risk from Quantum Computers? Experts Weigh In

If you’ve ever typed “is bitcoin at risk from quantum computers” into a search bar, you’re not alone. The idea that a new kind of supercomputer could suddenly crack Bitcoin’s cryptography and drain wallets is tailor-made for headlines and anxiety.

The truth is less cinematic but more interesting: quantum computing is a serious long‑term security issue for Bitcoin, but not an instant death sentence—and the network has both a clock and a roadmap to adapt.

Why everyone suddenly talks about quantum risk

A few years ago, quantum computing was mostly a research buzzword. Now you have big tech and governments pouring billions into it, chip announcements every quarter, and headlines like “Bitcoin faces the quantum countdown.”

One global equity strategist at Jefferies even removed Bitcoin from his model portfolio, explicitly citing quantum computing as a long‑term security concern. That kind of move turns an abstract technology topic into a market narrative very quickly.

At the same time, researchers and security agencies warn that adversaries may already be stockpiling encrypted data today in “harvest now, decrypt later” attacks, planning to unlock it once cryptographically relevant quantum computers arrive. That includes public blockchains.

Quick primer: how Bitcoin is secured

To understand the quantum threat to Bitcoin, you need just two building blocks:

Digital signatures (ECDSA). When you send BTC, you prove ownership with a digital signature based on elliptic‑curve cryptography, specifically ECDSA. Your public key is visible; your private key must remain secret.
Hashing (SHA‑256). Bitcoin’s proof‑of‑work and addresses rely on hash functions, which turn data into fixed‑length fingerprints that are hard to reverse.

Today, classical computers find it practically impossible to derive a private key from a public key or reverse a strong hash within the lifetime of the universe. That “practically impossible” assumption is exactly what quantum computing attacks.

Open a Secure International Bank Account Today

Explore Easy Global Banking and discover the benefits of international banking in top jurisdictions like Switzerland and Singapore. Get a free consultation to discuss your options.

What quantum computers can and can’t do

Quantum computers are not just “faster laptops.” They rely on qubits, which can represent 0 and 1 in superposition, and exploit interference to solve certain math problems radically faster than classical machines.

Two algorithms matter most for Bitcoin:

Shor’s algorithm. This can efficiently solve the hard math behind RSA and elliptic‑curve cryptography. In plain language: a sufficiently powerful quantum computer running Shor’s algorithm could derive Bitcoin private keys from exposed public keys.
Grover’s algorithm. This gives a quadratic speed‑up for brute‑forcing hashes. It would weaken hash‑based proof‑of‑work, but not in the same catastrophic way as Shor’s algorithm weakens signatures; you can partly compensate by increasing hash sizes or difficulty.

So the main existential concern is not mining; it is signatures—specifically, public keys that are visible on‑chain.

Which parts of Bitcoin are actually vulnerable?

33% Exposed

Currently Safer (~67%) Public key hidden

Quantum-Exposed (~33%) ≈6.5M BTC

Not all BTC is equally exposed to quantum attacks. The core issue is public key exposure on‑chain.

Old‑style addresses and early coins (Pay‑to‑Public‑Key, or P2PK) reveal the raw public key directly.
Modern addresses (like P2PKH and Taproot) initially show only a hash, but once you spend from them, your public key becomes visible in the transaction.

Analyses by Deloitte and others suggest that roughly 25–30% of all Bitcoin—on the order of 4–6 million BTC—is already in addresses where the public key has been revealed, including a large chunk of early coins often attributed to Satoshi Nakamoto. Some research puts the broader exposure closer to 30–40% when you include various script types and reused addresses.

Here’s a simplified view:

Quantum risk across Bitcoin’s surface

Area	What quantum breaks	How serious is it?	Status today
Exposed public keys (old & reused addresses)	Shor’s algorithm could derive private keys and steal coins once a powerful quantum computer exists.	High for long‑dormant or inactive holders; they may never move.	Largest known pool of vulnerable BTC (25–30%+ of supply).
New unused addresses	Public key not yet revealed on‑chain; only hash is visible.	Lower near‑term risk; attacker must wait until you spend.	Safer today, but not future‑proof without protocol changes.
Mining / proof‑of‑work	Grover’s algorithm could speed up search for valid hashes, giving quantum miners an edge.	Medium; risk is mining centralization, not instant chain collapse.	Considered a later‑stage issue; can be mitigated by parameter changes.
Network & ecosystem (TLS, hardware wallets, custodians)	Broken classical cryptography in surrounding tools could enable man‑in‑the‑middle attacks and wallet breaches.	Medium to high; depends on how fast broader internet moves to post‑quantum cryptography.	Industry is beginning PQC migrations, but progress is uneven.

Vulnerability by Address Type

Fully Exposed Minimally Exposed

30%20%10%0%

10%

P2PK

25%

Reused
P2PKH

30%

Single-use
P2PKH

28%

SegWit

Taproot

Old P2PK outputs: fully exposed public keys and top target for quantum attackers.

Reused P2PKH: public keys revealed during previous spends, making them vulnerable.

Modern Addresses: safe as long as they are never reused (public key remains hashed).

How big is the risk today?

Here’s the key reassurance: no one has a publicly known quantum computer anywhere near powerful enough to break Bitcoin’s ECDSA signatures today. Estimates suggest that you’d need millions to billions of stable, error‑corrected qubits to attack Bitcoin on meaningful scales, far beyond current hardware.

That said, credible experts disagree sharply on the quantum computer timeline:

Some, like Adam Back, argue that Bitcoin faces no meaningful quantum risk for 20–40 years based on current qubit counts and error correction limits.
Others, including researchers and industry leaders interviewed by outlets like Cointelegraph and QRL, warn that a cryptographically relevant quantum computer might appear within 2–10 years.
U.S. and U.K. agencies (NSA, NCSC) recommend migrating critical systems to post‑quantum cryptography by around 2028, implying that they view the risk horizon as single‑digit years, not multiple decades.

So the honest answer: the threat is not “tomorrow,” but the safety margin is uncertain, and conservative actors are planning for less than a decade.

Why “harvest now, decrypt later” matters for Bitcoin

Even if quantum computers can’t break Bitcoin today, attackers can already copy and store every byte of blockchain data essentially for free. Central banks like the Federal Reserve have explicitly warned that quantum computers could one day decrypt historical transactions and expose private data recorded under current encryption standards.

For Bitcoin, that means:

Any transaction that already revealed a public key is permanently recorded and available for future quantum analysis.
A future attacker with a cryptographically relevant quantum computer could work through these exposed keys and drain coins from inactive or slow‑moving wallets.

This is why quantum risk for long‑term holders—people planning to sit on coins for decades without moving them—is more acute than for active traders who frequently rotate through new, safer addresses.

The seven‑year race: how long would Bitcoin need to upgrade?

Even if the community agreed tomorrow that Bitcoin must become a quantum‑resistant blockchain, the upgrade would not be instant. Research from Bitcoin developers such as Ethan Heilman suggests that, from first proposal to full migration, you should expect something like a seven‑year process in a best‑case, high‑cooperation scenario.

That timeline breaks down into:

A few years to design, discuss, and standardize a post‑quantum signature scheme in Bitcoin Improvement Proposals (BIPs).
Roughly 2–3 years for review, implementation, testing, and soft‑fork activation.
Years of coordination for wallets, exchanges, custodians, and users to actually migrate to quantum‑safe addresses, on top of Bitcoin’s limited transaction throughput.

Crucially, Bitcoin cannot just “flip a switch” and silently upgrade everyone. Owners must actively move funds out of vulnerable outputs; otherwise, those BTC remain sitting ducks for future quantum attacks.

What is BIP 360 and why does it matter?

The good news: Bitcoin has already taken its first concrete step toward post‑quantum cryptography. In February 2026, developers merged BIP 360 into the official BIP repository.

BIP 360 introduces a new output type called Pay‑to‑Merkle‑Root (P2MR), designed to hide public keys on‑chain more effectively and reduce exposure to Shor’s algorithm.
It builds on Taproot while specifically addressing the quantum vulnerability of revealing a public key during keypath spends.

This doesn’t make Bitcoin quantum‑safe overnight. It does, however, signal that post‑quantum cryptography is now part of Bitcoin’s technical roadmap, not just an academic concern.

A realistic investor story

Here’s a composite story I hear versions of all the time:

In 2017, an early adopter bought a few BTC, sent them once to a single address, and never touched them again. They read somewhere that reusing addresses was bad, but they figured, “I’m a long‑term HODLer; I don’t trade, so I’m fine.”

Fast‑forward to 2026. They stumble onto an article explaining that older address types and reused addresses have their public keys exposed on‑chain, making them prime targets the moment quantum computers become strong enough. They realize their coins are sitting in exactly that setup.

What changed for them was not the immediate risk—which is still low today—but their time horizon. Suddenly, “I’m holding this for 20+ years” now means “I should proactively move to quantum‑safer addresses once standards harden,” rather than ignoring the issue and hoping for the best.

What happens if Bitcoin does nothing?

If Bitcoin never migrated to post‑quantum cryptography and a powerful quantum computer suddenly arrived, several things could happen:

Attackers could target exposed public keys and drain dormant or slow‑moving wallets first, including early P2PK addresses and famous hoards like Satoshi’s coins.
Confidence in Bitcoin as a long‑term store of value could be badly damaged, even if only a fraction of coins were directly stolen.
Mining might gradually centralize around quantum‑equipped entities, but that’s a slower and more adjustable problem than mass key theft.

In a true worst‑case scenario, you’d see contentious forks, rushed emergency patches, and chaotic attempts to “burn” or freeze vulnerable coins versus letting them be stolen—all the things protocol designers want to avoid.

What Bitcoin developers and researchers are doing now

The ecosystem is not asleep at the wheel. There are several parallel efforts:

Academic and industry research into post‑quantum signature schemes suitable for high‑throughput blockchains, with groups like QRL and Project Eleven focusing specifically on crypto networks.
Bitcoin‑specific proposals like BIP 360 (P2MR), which aim to harden how outputs are structured so fewer public keys end up exposed on‑chain.
Ecosystem‑wide PQC work, where standards bodies and vendors roll out quantum‑safe TLS, hardware security modules, and wallet infrastructure so that quantum‑safe Bitcoin isn’t undermined by quantum‑weak plumbing around it.

One important takeaway from Project Eleven’s work and similar research: post‑quantum migration is not optional if Bitcoin wants to remain a serious long‑term asset. The only question is how early the community starts and how cleanly it coordinates the change.

Practical steps for everyday Bitcoin holders

You can’t control when a cryptographically relevant quantum computer appears. You can reduce your personal attack surface.

Prefer modern address types (SegWit, Taproot) through reputable wallets. These minimize immediate public key exposure until you spend.
Avoid reusing addresses. Generate a fresh receive address for each payment.
Keep your seed phrase offline and secure; quantum attacks don’t help an attacker who simply steals your backup.
Stay informed about post‑quantum cryptography upgrades and be ready to move coins when major wallets and exchanges support quantum‑safe outputs.
If you’re a large or institutional holder, start talking to custodians now about their quantum‑safe wallet roadmap rather than waiting for a panic cycle.

Think of this like upgrading from HTTP to HTTPS years ago. The web didn’t collapse first; prudent operators moved early.

So, is bitcoin at risk from quantum computers or not?

Here’s the blunt, expert‑level answer to “is bitcoin at risk from quantum computers”:

Yes, in the long term. Bitcoin’s current elliptic‑curve signatures are fundamentally vulnerable to Shor’s algorithm, and a non‑trivial share of coins already sit in exposed addresses. That makes quantum risk real for long‑horizon holders.
No, not in the sense of “any day now it could vanish overnight.” Today’s quantum hardware is many orders of magnitude too weak to mount practical attacks on Bitcoin, and there is still time—though not infinite time—for a careful migration to post‑quantum schemes.
The real danger is complacency. Because Bitcoin’s governance and upgrade processes are deliberately slow, the ecosystem probably needs most of the next decade to roll out and adopt robust, quantum‑resistant cryptography.

If you’re a broad‑audience reader, the takeaway is simple: Bitcoin is not about to be “broken” by quantum computers next week, but the clock is ticking, and the seriousness with which developers, researchers, and regulators are treating the issue is a feature, not FUD.

FAQs

1. Can a quantum computer steal all Bitcoin at once?

Not realistically. Even with Shor’s algorithm, an attacker would need to target individual exposed public keys, one by one, and would still face network rules like block times and transaction fees. The real risk is systematic theft from vulnerable wallets, not a single magic button that empties the chain.

2. Are my coins safe if I never reuse addresses?

You’re in a better position, but not entirely immune. Modern addresses only reveal your public key when you spend, so coins sitting in never‑spent, hashed addresses are harder quantum targets. Over a long enough horizon, though, Bitcoin will still need post‑quantum signatures to keep even those coins safe once they eventually move.

3. Why don’t we just switch Bitcoin to a post‑quantum algorithm now?

Post‑quantum cryptography is still being standardized, and many candidate schemes are larger, slower, or more complex than ECDSA. Bitcoin must balance security, performance, and decentralization, and any change requires overwhelming community consensus and careful testing to avoid introducing new bugs or attack vectors.

4. What is a “cryptographically relevant quantum computer”?

It’s a quantum machine with enough stable, error‑corrected qubits and low enough noise to break real‑world cryptographic schemes like RSA or ECDSA faster than classical methods. We are not there yet, but roadmaps from major players suggest steady progress.

5. Could governments secretly already have such a quantum computer?

There is no public evidence that any state has a quantum computer capable of breaking Bitcoin today. Independent estimates of hardware capabilities, error rates, and qubit counts make that extremely unlikely. That said, security planners act as if adversaries will eventually get there, which is why agencies push for PQC migration by dates like 2028.

6. Will Ethereum and other blockchains face the same problem?

Yes. Any blockchain using classical public‑key cryptography is vulnerable to Shor’s algorithm in principle. Some networks, like newer proof‑of‑stake chains or those with more centralized governance, might be able to coordinate a quantum‑resistant upgrade faster than Bitcoin; others may struggle more.

7. What should I watch for over the next few years?

Keep an eye on three things:
Concrete Bitcoin proposals like BIP 360 moving from draft to activation.
Adoption of post‑quantum cryptography in browsers, VPNs, and hardware wallets.
Credible, peer‑reviewed evidence of large‑scale, error‑corrected quantum machines, not just flashy lab demos.
If those timelines start to converge—PQC maturing while quantum hardware scales—that’s your signal that Bitcoin’s quantum migration needs to shift from “future project” to “active priority.”

Is Bitcoin at Risk from Quantum Computers?