Why Satoshi’s Wallet Is a Prime Quantum Target
Satoshi Nakamoto’s estimated 1.1 million Bitcoin (BTC) is often described as the crypto world’s ultimate “lost treasure.” Sitting on the blockchain like a dormant volcano, this digital ghost ship has not seen an on-chain transaction since its creation. Valued at approximately $67 billion to $124 billion at current market rates, this massive stash has become legendary.
However, for a growing number of cryptographers and physicists, Satoshi’s wallet is more than just a legend—it represents a multibillion-dollar security risk. The threat is not from hackers, server breaches, or lost passwords; it comes from the emergence of an entirely new form of computation: quantum computing.
As quantum machines move from theoretical research labs to powerful working prototypes, they pose a potential threat to existing cryptographic systems, including the encryption that protects Satoshi’s coins, the wider Bitcoin network, and parts of the global financial infrastructure. This is not a distant “what if.” The race to build both a quantum computer and a quantum-resistant defense is one of the most critical and well-funded technological efforts of our time.
Why Satoshi’s Early Wallets Are Easy Quantum Targets
Most modern Bitcoin wallets hide the public key until a transaction occurs. However, Satoshi’s legacy pay-to-public-key (P2PK) addresses do not hide them—their public keys are permanently exposed on-chain.
It is important to understand that not all Bitcoin addresses are created equal. The vulnerability lies in the type of addresses Satoshi used back in 2009 and 2010.
Most Bitcoin today is held in pay-to-public-key-hash (P2PKH) addresses, which start with “1,” or in newer SegWit addresses that begin with “bc1.” In these address types, the blockchain stores only a hash of the public key when coins are received, revealing the actual public key only when the coins are spent.
Think of it like a bank’s drop box: the address hash is the mail slot where anyone can drop money in, but the public key is the locked metal door behind that slot. No one sees the lock or its mechanism until you decide to spend the coins. At the moment you spend, your private key “unlocks” the door.
Satoshi’s coins, however, are stored in much older P2PK addresses. In this legacy format, there is no hash; the public key itself is permanently and visibly recorded on the blockchain for everyone to see. For classical computers, this does not matter as reverse-engineering a public key to find the private key remains practically impossible.
For a quantum computer, however, that exposed public key is a detailed blueprint and an open invitation to pick the lock.
How Shor’s Algorithm Lets Quantum Machines Break Bitcoin
Bitcoin’s security relies on the Elliptic Curve Digital Signature Algorithm (ECDSA), which depends on math that is computationally infeasible for classical computers to reverse.
Shor’s algorithm, if run on a sufficiently powerful quantum computer, is designed to break that math.
Bitcoin’s security model is built on ECDSA, which depends on a one-way mathematical assumption: it is easy to multiply a private key by a point on an elliptic curve to derive a public key, but essentially impossible to reverse the process to find the private key from the public key. This challenge is known as the Elliptic Curve Discrete Logarithm Problem.
A classical computer cannot divide this operation and must use brute force—guessing every possible key among 2256 options, an astronomically vast number exceeding the number of atoms in the known universe. This is why Bitcoin is currently safe from all classical supercomputers, now and in the foreseeable future.
A quantum computer, on the other hand, would not rely on guessing but on calculation. Shor’s algorithm, developed in 1994, can use quantum superposition to uncover mathematical patterns, specifically the hidden period within the elliptic curve problem.
This means that on a sufficiently powerful quantum computer, an exposed public key can be taken and, within hours or days, reverse-engineered to find the single private key that created it. An attacker would not need to hack servers; they could simply harvest exposed P2PK public keys from the blockchain, feed them into a quantum machine, and wait for the private keys to be revealed. With these, they could sign transactions and move Satoshi’s 1.1 million coins.
Did you know? It is estimated that breaking Bitcoin’s encryption would require a quantum machine with approximately 2,330 stable logical qubits. Due to the noisy and error-prone nature of current qubits, experts believe that a fault-tolerant system would require combining more than 1 million physical qubits to create those 2,330 stable logical qubits.
How Close Are We to “Q-Day”?
Companies like Rigetti and Quantinuum are racing to build cryptographically relevant quantum computers, and the timeline for reaching such capabilities is shortening dramatically—from decades to years.
“Q-Day” is the hypothetical moment when a quantum computer becomes capable of breaking current encryption standards.
For years, Q-Day was considered a distant 10-to-20-year problem, but that timeline is compressing rapidly.
The reason so many physical qubits are needed to form reliable logical qubits is quantum error correction. Qubits are incredibly fragile and sensitive to environmental disturbances such as slight vibrations, temperature changes, or radiation, which cause decoherence and errors in quantum calculations.
To perform complex calculations like breaking ECDSA, stable logical qubits are essential. Typically, creating a single logical qubit requires hundreds or thousands of physical qubits arranged in an error-correcting code. This adds significant overhead needed to maintain stability.
The quantum race is accelerating. Firms such as Quantinuum, Rigetti, and IonQ, alongside tech giants Google and IBM, are publicly pursuing aggressive quantum roadmaps. For example, Rigetti aims to reach a 1,000-plus qubit system by 2027.
These public advancements do not include classified state-level research. The first nation to reach Q-Day could theoretically hold a master key to global financial systems and intelligence data. Therefore, quantum-resistant defenses must be developed and deployed before quantum attacks become feasible.
Why Millions of Bitcoin Are Exposed to Quantum Attacks
A 2025 report by the Human Rights Foundation found that 6.51 million BTC are held in addresses vulnerable to quantum attacks, with 1.72 million of these, including Satoshi’s coins, considered lost or unmovable.
Satoshi’s wallet is the largest prize, but it is not the only vulnerable one. The report analyzed the entire blockchain for quantum vulnerabilities and revealed that:
- 1.72 million BTC reside in very early address types, believed to be dormant or lost, including Satoshi’s estimated 1.1 million BTC in P2PK addresses.
- An additional 4.49 million BTC are vulnerable but could be secured by migrating to safe addresses, suggesting their owners are likely still able to act.
The vulnerability in the additional 4.49 million BTC arises from address reuse. These users employed modern P2PKH addresses but, after spending from them (which reveals the public key), they received new funds back to the same address—a common practice in the early 2010s.
This address reuse permanently exposed their public keys on-chain, making these modern wallets as vulnerable as Satoshi’s legacy P2PK wallets.
If a malicious actor were the first to reach Q-Day, simply moving Satoshi’s coins would serve as proof of a successful quantum attack. This event could instantly shatter Bitcoin’s fundamental security, triggering market-wide panic, bank runs on exchanges, and an existential crisis for the entire crypto ecosystem.
Did you know? A common tactic under discussion is “harvest now, decrypt later.” Malicious actors are already recording encrypted data—such as internet traffic and blockchain public keys—with the intention of decrypting it years from now once they possess quantum computing capabilities.
How Bitcoin Could Switch to Quantum-Safe Protection
The entire tech world is moving toward new quantum-resistant cryptographic standards. For Bitcoin, this transition would require a major network upgrade, typically through a soft fork to adopt a new algorithm.
The cryptographic community is proactively developing solutions. Post-quantum cryptography (PQC) involves a new generation of encryption algorithms based on different and more complex mathematical problems believed to be secure against both classical and quantum computers.
Instead of relying on elliptic curves, many PQC algorithms use structures such as lattice-based cryptography. The U.S. National Institute of Standards and Technology (NIST) has been leading the global effort to standardize these algorithms.
In August 2024, NIST published its first finalized PQC standards. The key algorithm for digital signatures is ML-DSA (Module-Lattice-based Digital Signature Algorithm), part of the CRYSTALS-Dilithium standard.
The wider technology community is already adopting PQC. For example, by late 2025, OpenSSH 10.0 made a PQC algorithm its default, and Cloudflare reported that a majority of its web traffic is now protected with PQC.
For Bitcoin, the path forward will likely involve a network-wide software update introducing new quantum-resistant address types—such as proposed “P2PQC” addresses. This upgrade would not force users to move their funds; instead, they could voluntarily migrate from older, vulnerable address types (such as P2PKH or SegWit) to these new quantum-safe addresses.
This migration strategy would resemble the rollout of the SegWit upgrade, providing a smooth and voluntary transition to stronger cryptographic security.
Stay informed as the quantum era approaches, and consider securing your Bitcoin holdings by following developments on quantum-resistant technologies and network upgrades.
