A quantum computer cannot steal your Bitcoin today. No machine that exists can break the cryptography that guards a wallet, and the researchers who study the problem closely will tell you nobody knows when one could. That is the calm part. The harder part is that the threat is genuine, it is measured in years instead of safe decades, and a specific slice of the coin supply is already exposed: roughly 6.7 to 7 million BTC sit in addresses whose public keys are visible on the chain, which is the condition a future quantum attacker would need. This week an advisory board convened by Coinbase put its weight behind one message: Bitcoin should begin moving to quantum-safe signatures now, before any countdown that nobody can pin down. What that board pointedly would not do is settle the ugliest question underneath all of it.

Can a quantum computer steal Bitcoin, and should you worry?

Not today, and not in a way that should keep you up tonight. The advisory board's report, shared with CoinDesk this week, says quantum computers are not a threat to blockchains right now. The machines that exist are far too small and too error-prone to break the cryptography Bitcoin relies on.

The reason to pay attention is the timeline and the size of the prep job. A working quantum attack on Bitcoin would not arrive as a surprise overnight; it would arrive after years of hardware progress that experts can partly track. But fixing Bitcoin is itself a years-long coordination effort across a network with no boss. That mismatch, a slow defense against an uncertain attack, is why serious cryptographers are urging the work to start while there is plenty of runway. The board's framing, per CoinDesk, is that the migration debate should not wait on a firm timeline, because the timeline is exactly the thing nobody can pin down.

  • A quantum computer cannot break Bitcoin's cryptography today, and no one knows when one could. The threat is real but multi-year (CoinDesk, Decrypt).
  • Roughly 6.7 to 7 million BTC sit in addresses with exposed public keys, about a third of all coins ever mined, and those are the ones a future quantum computer could target (NewsBTC, CoinDesk).
  • Of that, about 1.7 million BTC sits in early or lost wallets, including coins tied to Satoshi Nakamoto, whose owners cannot or will not move them (CoinDesk).
  • A coin is exposed once its public key is revealed, which happens when an address is reused or spent from. Coins in an address that has never sent a transaction are far safer.
  • A Coinbase advisory board urges starting the move to quantum-safe signatures now, but refuses to decide what happens to coins nobody ever migrates (CoinDesk).

Why is Bitcoin exposed at all?

Bitcoin proves you own your coins with a piece of math called elliptic-curve cryptography, or ECC. When you set up a wallet, it generates two linked numbers: a private key, which you keep secret and use to sign transactions, and a public key, which the network uses to check that the signature is real. The math runs one way easily and the other way only with enormous effort. Anyone can verify a signature with the public key, but deriving the private key from the public key is, on today's computers, so hard that it never finishes in a human lifetime.

A large quantum computer changes the difficulty of that reverse step. A method called Shor's algorithm, designed for quantum hardware, can solve the exact problem ECC depends on far faster than any classical machine. Put simply, a powerful enough quantum computer running Shor's algorithm could take a public key and compute the private key behind it. Whoever holds that private key can move the coins. The lock and the spare key would be the same thing.

Two points keep this from being a doomsday switch. First, the quantum computer that could do this does not exist yet, and building it is a hardware problem of a scale no lab is close to. Second, Shor's algorithm only helps the attacker once the public key is visible. That single condition decides which coins are at risk.

Which Bitcoin is vulnerable, and which is safe?

The split comes down to whether a coin's public key has been revealed on the chain. Most of the confusion about quantum risk lives right here, so it is worth going slowly.

Modern Bitcoin addresses do not show your public key. They show a hash of it, which is a scrambled fingerprint produced by a different kind of math that quantum computers do not break the same way. While your coins sit in an address that has never sent a transaction, the network has only seen the hash, and the public key stays hidden behind it. A quantum attacker has nothing to run Shor's algorithm against.

The public key becomes visible when you spend. To send from an address, your wallet publishes a signature and, with it, the public key, so the network can verify the spend. From that moment the public key is on the chain forever. Two kinds of coins are therefore exposed:

  • Coins in old pay-to-public-key addresses from Bitcoin's earliest years, which recorded the raw public key directly.
  • Coins in any address that has been reused, meaning it received funds again after already sending a transaction. The spend revealed the key; the new deposit now sits behind a key the world can see.

This is why the figures land where they do. Across the reporting, roughly 6.7 to 7 million BTC sit in addresses with exposed public keys, which is about a third of all Bitcoin ever mined, per NewsBTC and CoinDesk. The practical takeaway for a holder is genuinely simple: a fresh address that has never been spent from keeps its public key hidden, so avoiding address reuse is real mitigation you can do today.

What about Satoshi's coins and the lost wallets?

A large chunk of the exposed pile cannot be protected by good habits, because no one is there to practice them. Roughly 1.7 million BTC sits in early wallets from Bitcoin's first years, including coins widely believed to belong to Satoshi Nakamoto, the pseudonymous creator, and other pre-2011 holders, according to CoinDesk. Many of these are in the old public-key format, and many are presumed lost, with the private keys gone for good.

These coins are the hard case in every sense. Their owners cannot move them to a safer address, either because the keys are lost or because the owner has chosen, for years, never to touch them. They sit in plain view of any future quantum attacker, and there is no account holder to send the upgrade notice to. As you will see, this is the exact pile that turns a technical migration into a political fight.

When could this actually happen?

Nobody knows, and anyone who gives you a confident date is selling something. The serious estimates span a wide range, and they come from different assumptions about how fast quantum hardware improves.

Some signals point toward the end of the decade, others are far more conservative, and nobody can pin it down. Google has set itself a 2029 deadline to move its own infrastructure to post-quantum cryptography, and its researchers recently found that breaking the cryptography may take far fewer quantum resources than once thought. Read that carefully: the 2029 date is Google planning to be ready before the threat arrives, not a forecast that Bitcoin breaks that year. It shows an institution treating the risk as urgent. Other voices are more relaxed. Jameson Lopp, co-founder of the Bitcoin custody firm Casa, told Decrypt a capable machine is "probably over a decade, maybe even several decades" away if progress stays roughly linear. These are guesses about a machine that has not been built, so treat each as a scenario from its source rather than a fact about the future.

The advisory board's own stance, per CoinDesk, sidesteps the guessing game on purpose. Its point is that because the date is unknowable, the network should not tie its preparation to any particular year. Start the work now, on a timeline Bitcoin can control, instead of betting that the attacker's timeline will be generous.

What is the fix, and why is it hard?

The cryptographic fix is well understood. The hard part is getting a leaderless network to adopt it together.

On the math, the answer is post-quantum signatures, also called quantum-safe signatures: signing schemes built on problems that quantum computers are not known to break. Several candidates exist for Bitcoin. Hash-based signatures such as SPHINCS+ and the older Lamport scheme lean on the same kind of hashing that already protects unspent addresses, which quantum computers do not crack the way they crack ECC. On the proposal side, drafts in the spirit of BIP 360 and BIP 361 sketch how Bitcoin could add a quantum-safe address type and let holders migrate their coins into it. The plumbing to do this is real and being designed.

The genuinely hard problem is coordination. Bitcoin has no company that can push an update to every user. A change to how the network validates transactions requires broad agreement among developers, miners, node operators, exchanges, and wallet makers, and then it requires hundreds of millions of coins to actually be moved into the new format by the people who hold them. That is slow under the best conditions. It is the reason the advisory board's urgency is aimed at starting early: the math is ready long before the social machinery to deploy it will be.

What does the new Coinbase report say, and what won't it settle?

The report comes from an independent advisory board on quantum computing and blockchain that Coinbase convened, with members named in the reporting including Scott Aaronson of UT Austin, Dan Boneh of Stanford, and Justin Drake of the Ethereum Foundation. These are among the most respected names in cryptography and quantum theory, which is what gives the report its weight.

Their headline guidance is consistent and clear: quantum computers are not a threat today, no one can name the day they will be, and so Bitcoin should begin its migration to quantum-safe signatures now rather than wait for a countdown, per CoinDesk and Decrypt. On the technical direction, the board notes that compatible solutions can be combined, and it presses the community for clear communication and timely action.

Then it stops short, on purpose, at the question that matters most. What should the network do about coins whose owners never migrate, the lost wallets and the Satoshi-era stash that will still be sitting in exposed addresses when a quantum computer finally arrives? Two camps have formed. One would set a migration deadline, after which coins still relying on the old, breakable cryptography are effectively frozen or burned, putting them beyond anyone's reach so a quantum attacker cannot grab them either. The other would preserve those coins as they are, treating a forced freeze as a violation of the property the network is supposed to protect. The board declines to pick a side. According to CoinDesk, even this group of top cryptographers cannot agree, and the report leaves the choice to the wider community.

That refusal sits at the center of the report. The technical fix is the easy half. Deciding whether to wall off, or wait on, more than a million coins that may include the founder's own holdings is a question about what Bitcoin is for, and the experts handed it back to the people who run the network.

What should a Bitcoin holder actually do?

Stay calm and take the small, real steps that exist today. This is a multi-year problem with a known direction of travel, and no emergency action needs to happen this week to keep ordinary holdings safe.

The one habit worth adopting is avoiding address reuse. Use a modern wallet, which by default gives you a fresh receiving address for each transaction and keeps your unspent coins behind a hidden public key. When the quantum-safe upgrade eventually ships, follow the instructions from your wallet and from Bitcoin's developers to move your coins into the new address type. Until then, your existing setup is not in danger from any machine that exists.

Quantum fear is already bait for scams. Expect fake "quantum-safe upgrade" tools, urgent emails, and apps that tell you to move your coins right now to a "protected" address or to enter your seed phrase to "secure" it against quantum computers. There is no legitimate quantum-safe migration you need to act on today, and no real upgrade will ever ask for your seed phrase. A genuine migration will come through your wallet software and Bitcoin's open development process, announced in the open and rolled out over time. Anyone rushing you is trying to steal your coins the old-fashioned way.

What we're watching

Whether the migration moves from white papers to a proposal the network can actually rally behind. The cryptography exists, the advisory board has lent its name to starting now, and the open governance question is squarely on the table. The next real signal is a concrete migration plan that wallets and exchanges commit to, not another round of warnings. The harder signal is whether the community can answer the question the experts would not: what to do with the millions of coins, some likely the founder's, that no one will ever move. Until then, the threat stays years out, the exposed coins stay exposed, and the most useful thing a holder can do is keep a fresh address and ignore anyone selling a quantum panic.