Why Satoshi’s wallet is a prime quantum target
Satoshi’s 1.1-million-BTC wallet is increasingly viewed as a potential quantum vulnerability as researchers assess how advancing computing power could affect early Bitcoin addresses.
Satoshi Nakamoto’s estimated 1.1 million Bitcoin (BTC) is often described as the crypto world’s ultimate “lost treasure.” It sits on the blockchain like a dormant volcano, a digital ghost ship that has not seen an onchain transaction since its creation. This massive stash, worth approximately $67 billion-$124 billion at current market rates, has become a legend.
But for a growing number of cryptographers and physicists, it is also viewed as a multibillion-dollar security risk. The threat is not a hacker, a server breach or a lost password; it is the emergence of an entirely new form of computation: quantum computing.
As quantum machines move from theoretical research labs to powerful working prototypes, they pose a potential threat to existing cryptographic systems. This includes the encryption that protects Satoshi’s coins, the wider Bitcoin network and parts of the global financial infrastructure.
This is not a distant “what if.” The race to build both a quantum computer and a quantum-resistant defense is one of the most critical and well-funded technological efforts of our time. Here is what you need to know.
Why Satoshi’s early wallets are easy quantum targets
Most modern Bitcoin wallets hide the public key until a transaction occurs. Satoshi’s legacy pay-to-public-key (P2PK) addresses do not, and their public keys are permanently exposed onchain.
To understand the threat, it is important to recognize that not all Bitcoin addresses are created equal. The vulnerability lies in the type of address Satoshi used in 2009 and 2010.
Most Bitcoin today is held in pay-to-public-key-hash (P2PKH) addresses, which start with “1,” or in newer SegWit addresses that begin with “bc1.” In these address types, the blockchain does not store the full public key when coins are received; it stores only a hash of the public key, and the actual public key is revealed only when the coins are spent.
Think of it like a bank’s drop box. The address hash is the mail slot; anyone can see it and drop money in. The public key is the locked metal door behind the slot. No one can see the lock or its mechanism. The public key (the “lock”) is only revealed to the network at the one and only moment you decide to spend the coins, at which point your private key “unlocks” it.
Satoshi’s coins, however, are stored in much older P2PK addresses. In this legacy format, there is no hash. The public key itself, the lock in our analogy, is visibly and permanently recorded on the blockchain for everyone to see.
For a classical computer, this does not matter. It is still practically impossible to reverse-engineer a public key to find the corresponding private key. But for a quantum computer, that exposed public key is a detailed blueprint. It is an open invitation to come and pick the lock.
How Shor’s algorithm lets quantum machines break Bitcoin
Bitcoin’s security, Elliptic Curve Digital Signature Algorithm (ECDSA), relies on math that is computationally infeasible for classical computers to reverse. Shor’s algorithm, if run on a sufficiently powerful quantum computer, is designed to break that math.
Bitcoin’s security model is built on ECDSA. Its strength comes from a one-way mathematical assumption. It is easy to multiply a private key by a point on a curve to derive a public key, but it is essentially impossible to take that public key and reverse the process to find the private key. This is known as the Elliptic Curve Discrete Logarithm Problem.
A classical computer has no known way to “divide” this operation. Its only option is brute force, guessing every possible key. The number of possible keys is 2256, a number so vast it exceeds the number of atoms in the known universe. This is why Bitcoin is safe from all classical supercomputers on Earth, now and in the future.
A quantum computer would not guess. It would calculate.
The tool for this is Shor’s algorithm, a theoretical process developed in 1994. On a sufficiently powerful quantum computer, the algorithm can use quantum superposition to find the mathematical patterns, specifically the period, hidden within the elliptic curve problem. It can take an exposed public key and, in a matter of hours or days, reverse-engineer it to find the single private key that created it.
An attacker would not need to hack a server. They could simply harvest the exposed P2PK public keys from the blockchain, feed them into a quantum machine, and wait for the private keys to be returned. Then they could sign a transaction and move Satoshi’s 1.1 million coins.
Did you know? It is estimated that breaking Bitcoin’s encryption would require a machine with about 2,330 stable logical qubits. Because current qubits are noisy and error-prone, experts believe a fault-tolerant system would need to combine more than 1 million physical qubits just to create those 2,330 stable ones.
How close are we to a Q-Day?
Firms like Rigetti and Quantinuum are racing to build a cryptographically relevant quantum computer, and the timeline is shrinking from decades to years.
“Q-Day” is the hypothetical moment when a quantum computer becomes capable of breaking current encryption. For years, it was considered a distant “10-20-year” problem, but that timeline is now rapidly compressing.
The reason we need 1 million physical qubits to get 2,330 logical ones is quantum error correction. Qubits are incredibly fragile. They are noisy and sensitive to even slight vibrations, temperature changes or radiation, which can cause them to decohere and lose their quantum state, leading to errors in calculation.
To perform a calculation as complex as breaking ECDSA, you need stable logical qubits. To create a single logical qubit, you may need to combine hundreds or even thousands of physical qubits into an error-correcting code. This is the system’s overhead for maintaining stability.
We are in a rapidly accelerating quantum race.
-
Companies such as Quantinuum, Rigetti and IonQ, along with tech giants such as Google and IBM, are publicly pursuing aggressive quantum roadmaps.
-
Rigetti, for example, remains on track to reach a 1,000-plus qubit system by 2027.
-
This public-facing progress does not account for classified state-level research. The first nation to reach Q-Day could theoretically hold a master key to global financial and intelligence data.
The defense, therefore, must be built and deployed before the attack becomes possible.
Why millions of Bitcoin are exposed to quantum attacks
A 2025 Human Rights Foundation report found that 6.51 million BTC is in vulnerable addresses, with 1.72 million of it, including Satoshi’s, considered lost and unmovable.
Satoshi’s wallet is the biggest prize, but it is not the only one. An October 2025 report from the Human Rights Foundation analyzed the entire blockchain for quantum vulnerability.
The findings were stark:
-
6.51 million BTC is vulnerable to long-range quantum attacks.
-
This includes 1.72 million BTC in very early address types that are believed to be dormant or potentially lost, including Satoshi’s estimated 1.1 million BTC, many of which is in P2PK addresses.
-
An additional 4.49 million BTC is vulnerable but could be secured by migration, suggesting their owners are likely still able to act.
This 4.49 million BTC stash belongs to users who made a critical mistake: address reuse. They used modern P2PKH addresses, but after spending from them (which reveals the public key), they received new funds back to that same address. This was common practice in the early 2010s. By reusing the address, they permanently exposed their public key onchain, turning their modern wallet into a target just as vulnerable as Satoshi’s.
If a hostile actor were the first to reach Q-Day, the simple act of moving Satoshi’s coins would serve as proof of a successful attack. It would instantly show that Bitcoin’s fundamental security had been broken, triggering market-wide panic, a bank run on exchanges and an existential crisis for the entire crypto ecosystem.
Did you know? A common tactic being discussed is “harvest now, decrypt later.” Malicious actors are already recording encrypted data, such as internet traffic and blockchain public keys, with the intention of decrypting it years from now once they have a quantum computer.
How Bitcoin could switch to quantum-safe protection
The entire tech world is moving to new quantum-resistant standards. For Bitcoin, this would require a major network upgrade, or fork, to a new algorithm.
The cryptographic community is not waiting for this to happen. The solution is post-quantum cryptography (PQC), a new generation of encryption algorithms built on different and more complex mathematical problems that are believed to be secure against both classical and quantum computers.
Instead of elliptic curves, many PQC algorithms rely on structures such as lattice-based cryptography. The US National Institute of Standards and Technology has been leading this effort.
-
In August 2024, the National Institute of Standards and Technology published the first finalized PQC standards.
-
The key one for this discussion is ML-DSA (Module-Lattice-based Digital Signature Algorithm), part of the CRYSTALS-Dilithium standard.
-
The wider tech world is already adopting it. By late 2025, OpenSSH 10.0 had made a PQC algorithm its default, and Cloudflare reported that a majority of its web traffic is now PQC-protected.
For Bitcoin, the path forward would be a network-wide software update, almost certainly implemented as a soft fork. This upgrade would introduce new quantum-resistant address types, such as proposed “P2PQC” addresses. It would not force anyone to move. Instead, users could voluntarily send their funds from older, vulnerable addresses, such as P2PKH or SegWit, to these new secure ones. This approach would be similar to how the SegWit upgrade was rolled out.
