The standard narrative about quantum computing and Bitcoin goes like this: someday, a sufficiently powerful quantum machine will crack the elliptic curve cryptography protecting your private keys, and your coins will be stolen. The solution, we're told, is to migrate to quantum-resistant signature schemes before that day arrives. Simple enough.

Except the real vulnerability may be far more specific—and far more dangerous. The threat isn't to wallets using modern best practices. It's to the estimated one million or more Bitcoin sitting in addresses from the network's earliest years, when coins were sent directly to public keys rather than to hashed addresses. Those public keys are visible on the blockchain right now. A quantum attacker wouldn't need to break a hash function first; they'd have a direct target.

The pay-to-pubkey problem

In Bitcoin's infancy, before pay-to-public-key-hash (P2PKH) became standard, miners received block rewards to raw public keys. These "pay-to-pubkey" outputs expose the full public key on-chain from the moment of creation. Modern transactions only reveal the public key when coins are spent, giving attackers a narrow window. But those early coinbase rewards? Their public keys have been sitting in plain sight for seventeen years.

The addresses most commonly associated with Satoshi Nakamoto—holding an estimated 1.1 million BTC, worth north of $120 billion at current prices—fall into this category. If quantum computers capable of running Shor's algorithm at scale ever materialize, these coins would be among the first vulnerable. The implications for Bitcoin's supply dynamics, price stability, and foundational mythology are difficult to overstate.

The timeline question

Quantum skeptics correctly note that no existing machine comes close to the thousands of stable, error-corrected qubits required to break Bitcoin's cryptography. Current estimates range from a decade to never. But "never" is a long time to bet on, and the crypto industry's track record on long-tail risk management is not inspiring.

Some have proposed protocol-level solutions: a soft fork that would freeze coins in vulnerable address formats after a grace period, forcing migration or forfeiture. The political economy of such a move—effectively threatening to burn Satoshi's coins—makes it nearly unthinkable under current governance norms. Yet the alternative is accepting that a trillion-dollar asset class has a known, if distant, existential vulnerability baked into its oldest layers.

Our take

Bitcoin's quantum exposure is a slow-motion governance test disguised as a cryptography problem. The network can probably survive the technical challenge; whether it can survive the argument about what to do with Satoshi's coins is another matter entirely. The day someone credibly demonstrates a quantum threat, the debate over those dormant addresses will become the most contentious in Bitcoin's history. Best to start thinking about it now, while "someday" still feels comfortably abstract.