Why Quantum Computing Could Become a Serious Threat to Bitcoin

Why 6.5–6.9 Million BTC Are Considered Especially Vulnerable

Citigroup’s analysis highlights a subset of Bitcoin that could be particularly exposed in a quantum‑attack scenario.

Estimates suggest that about 6.5–6.9 million BTC—roughly one‑third of circulating supply—already have their public keys visible on the blockchain.

Those coins are easier targets because an attacker would not need to wait for the owner to broadcast a transaction to reveal the public key. Instead, the key is already recorded on‑chain and could be analyzed in advance.

Examples of exposed coins include:

• Early pay‑to‑public‑key (P2PK) addresses used in Bitcoin’s early years
• Wallets that reused addresses
• Coins that have already been spent from at least once, which reveals the public key in the transaction data

Dormant coins pose a particular challenge. Some may belong to lost wallets, inactive users, or early holders who may never migrate them to safer address types, leaving large balances exposed indefinitely.

Governance: Why Upgrading Bitcoin Is Harder Than It Sounds

Even if quantum‑resistant cryptography exists, deploying it on Bitcoin is not simple.

Bitcoin’s governance model is intentionally conservative. Protocol upgrades require broad agreement among developers, miners, node operators, exchanges, custodians, and users. This slow consensus process is designed to protect stability—but it also makes large architectural changes difficult.

Citigroup analysts argue this could make Bitcoin slower to adopt post‑quantum protections compared with networks such as Ethereum, which historically have implemented coordinated upgrades more frequently.

A successful transition would likely require:

• New signature schemes resistant to quantum attacks
• New address formats and wallet software
• Coordinated migration by exchanges, custodians, and users
• A policy decision about what happens to coins that never migrate

Because these steps involve both technical and social consensus, the timeline could stretch over many years.

The “Harvest Now, Decrypt Later” Problem

Another concern highlighted in discussions about quantum security is the so‑called “harvest now, decrypt later” strategy.

In this scenario, attackers collect cryptographic data today—even if they cannot yet break it. Once sufficiently powerful quantum computers exist, that stored data could be decrypted retroactively.

Applied to Bitcoin, this means adversaries could already be cataloging addresses with exposed public keys. If quantum hardware eventually becomes capable of deriving private keys quickly enough, those coins could be targeted immediately.

Even before such attacks occur, the mere expectation of this risk could affect investor confidence or market pricing if the network appears slow to upgrade.

BIP‑360 and BIP‑361: Proposed Quantum Migration Plans

Developers have already begun discussing technical responses. Two notable proposals are BIP‑360 and BIP‑361, which outline ways to migrate Bitcoin to quantum‑resistant cryptography.

One controversial idea—outlined in BIP‑361—is a phased transition that would eventually sunset legacy signature schemes like ECDSA and Schnorr. Under some interpretations of the proposal, coins that remain in vulnerable address types after a migration deadline could become unspendable.

Supporters argue this would prevent quantum attackers from stealing funds tied to exposed public keys. Critics say it challenges Bitcoin’s long‑standing principle that coins remain spendable indefinitely if the private key exists.

The debate raises several risks:

• Property‑rights concerns: freezing coins could be seen as protocol‑level confiscation
• Community division: disagreements could trigger forks or political conflict
• Operational challenges: exchanges and custodians would need to coordinate large‑scale wallet migrations

Because of these trade‑offs, no single approach has universal support within the Bitcoin ecosystem.

What It Means for Investors and the Crypto Ecosystem

For now, large‑scale quantum attacks remain hypothetical. No known quantum computer today can break Bitcoin keys at scale.

But the issue illustrates a broader challenge: cryptographic migration is slow, especially for decentralized systems with billions of dollars in assets. That means preparation often needs to begin years before the underlying threat becomes practical.

If quantum computing advances faster than expected, Bitcoin could face two difficult scenarios:

• vulnerable coins are stolen by attackers, or
• the network adopts controversial rules to prevent theft.

Either outcome would test the governance and resilience of the world’s largest cryptocurrency network.