No quantum computer can break Bitcoin's cryptography today — yet roughly 7 million BTC already sit with their public keys visible on-chain, waiting. The question is no longer whether the keys are exposed, but who is holding the exposed coins, and how long the window to move them stays open.
What Coinbase's Quantum Board Actually Found: The 7 Million BTC Breakdown
Coinbase's Independent Advisory Board on Quantum Computing and Blockchain estimates that roughly 7 million BTC are exposed to a future quantum attack — not because the math is broken, but because the underlying public keys are already permanently recorded on the ledger . The board, launched in January 2026, published a foundational report on April 21, 2026 and a more granular follow-up around June 8–11, 2026 . Its named members include cryptographer Dan Boneh of Stanford, Justin Drake of the Ethereum Foundation, and Sreeram Kannan of Eigen Labs .
Quick Answer: Coinbase's quantum advisory board estimates about 7 million BTC are exposed to a future quantum attack — roughly 1.7 million in legacy P2PK addresses where the public key is the address, plus about 5 million revealed through address reuse, including coins held in exchange cold wallets.
The board splits that 7 million into two buckets. The first is about 1.7 million BTC spread across roughly 20,000 legacy Pay-to-Public-Key (P2PK) addresses, where the raw public key is the address and has been sitting in the open ledger since it was created — these include early-mined, Satoshi-era coins and likely-lost wallets that may never move . The second, and the more important one for active traders, is roughly 5 million BTC exposed through address reuse. Normally a public key is only revealed when you spend; reuse a receiving address, though, and that key stays in the ledger permanently. Critically, the board states that exchange cold wallets are among these exposed balances — so this is not purely a dormant-coin story .
Independent work lands in the same range. The "Quantum Horizon" arXiv paper (2606.14484), dated June 2026, estimates about 6 million BTC — roughly 30% of supply — exposed at rest . Deloitte's own blockchain scan put vulnerable balances above 4 million BTC, split between P2PK and reused P2PKH outputs . A narrower CoinShares note from February 6, 2026 focuses on the P2PK slice alone at about 1.6–1.7 million BTC .
| Source | Exposed BTC estimate | What it counts |
|---|---|---|
| Coinbase Advisory Board | ~7 million | ~1.7M P2PK + ~5M address reuse (incl. exchange cold wallets) |
| Quantum Horizon (arXiv 2606.14484) | ~6 million (~30% of supply) | Total exposed at rest |
| Deloitte blockchain scan | 4 million+ | P2PK + reused P2PKH balances |
| CoinShares | ~1.6–1.7 million | P2PK exposure only (~8% of supply) |
The estimates differ because they draw their boundaries differently — some count only P2PK, others add every reused address — but the direction is consistent across four independent analyses: a material share of Bitcoin's supply is already exposed, and the figure is measured in millions of coins, not edge-case dust.
How Address Reuse Permanently Exposes an Active Wallet
Address reuse is what turns a theoretical risk into a live one for active wallets. Under the standard Pay-to-Public-Key-Hash (P2PKH) format, your public key stays hidden behind a one-way hash and is revealed only the first time you spend from an address. Receive once and never reuse, and the raw key never touches the ledger. But spend from an address and then reuse it to receive again, and that public key is now written permanently into the blockchain for anyone to record. According to Deloitte's own chain scan, roughly 2.5 million BTC sat in reused P2PKH outputs in this exposed state .
The exposure matters because of a strategy researchers call "harvest now, decrypt later." An adversary does not need to break anything in real time. They can archive every exposed public key today and crack the matching private keys later, once a cryptographically relevant quantum computer (CRQC) exists. Coinbase's Independent Advisory Board frames this as the central reason the work "shouldn't wait" — the coins exposed today stay exposed indefinitely, and most are assumed to belong to active users, including large balances in the cold wallets of known exchanges .
The specific algorithm at issue is Shor's, run against the secp256k1 elliptic-curve signatures behind ECDSA spends. The arXiv paper "Quantum Horizon" models that attack at roughly 1,200–2,330 logical qubits, against 2026 hardware that tops out near 100 logical qubits . As Dan Boneh, the Stanford cryptographer on the Coinbase board, and his colleagues put it, the panel holds "high confidence that a large-scale, fault-tolerant quantum computer will eventually be built" — the gap is real today, but it is a gap, not a wall .
Mining is a separate and lesser concern. Quantum Horizon distinguishes Shor's algorithm, which threatens signatures, from Grover's, which offers only a quadratic speedup against hash functions and carries heavy fault-tolerant overhead. Bitcoin's difficulty adjustment largely absorbs any mining advantage, a point echoed by earlier work from Aggarwal and colleagues . The signature layer, not the proof-of-work layer, is where exposed keys create tail risk.
Base Case: A 10–20 Year Window — and Why That Is Not a Reason to Wait
The base case is a 10-to-20-year runway before a cryptographically relevant quantum computer (CRQC) can break secp256k1 signatures — long enough that no exposed key is at imminent risk, but short enough that migration work should start now. The Global Risk Institute's 2025 timeline report, drawing on 26 experts, puts CRQC probability at 28–49% within 10 years and 51–70% within 15 years . The direction is settled; only the date is uncertain.
Independent academic modeling lands in a similar band. The arXiv paper Quantum Horizon (2606.14484) assigns roughly a one-in-six chance of a CRQC by 2035, near 30% by 2040, and about 60% by 2050, with an 80% credible interval spanning roughly 2032–2060 . These are forecasts, not schedules — but they consistently place meaningful probability mass inside a single Bitcoin holding cycle.
| Source | CRQC probability / horizon |
|---|---|
| Global Risk Institute (26 experts) | 28–49% within 10 yrs; 51–70% within 15 yrs |
| Quantum Horizon (arXiv 2606.14484) | ~17% by 2035; ~30% by 2040; ~60% by 2050 |
| Some researchers (per Coinbase board) | Better-than-even odds before 2030 |
The hardware gap explains the runway. A March–April 2026 paper from Google Quantum AI, the Ethereum Foundation, and Stanford models a 256-bit elliptic-curve attack at under 1,200 logical qubits and under 90 million Toffoli gates, and suggests that under specific superconducting assumptions — 1e-3 physical error rates and planar connectivity — such a circuit could run in minutes with fewer than 500,000 physical qubits . Against 2026 machines holding roughly 1,000–1,200 physical qubits, the threshold sits orders of magnitude away .
That distance is the trap. The Coinbase Independent Advisory Board states it has "high confidence that a large-scale, fault-tolerant quantum computer will eventually be built," with estimates ranging from a few years to a decade or more — and notes some researchers place better-than-even odds before 2030 . Because exposed keys can be harvested today and decrypted later, the time to move coins is set by the harvest, not the eventual break.
Bull Case: Bitcoin Upgrades Before the Threat Matures
The optimistic scenario is straightforward: the cryptographic roadmap already exists, the threat window is measured in years, and a 10–20 year runway is adequate for a coordinated upgrade if political will forms now. NIST finalized its first three post-quantum cryptography standards on August 13, 2024 — FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) . These are general-purpose standards rather than a Bitcoin consensus upgrade, but they remove the hardest part of the problem: the destination algorithms are no longer hypothetical.
Other networks are already moving, which builds reusable engineering and a precedent for migration. The Ethereum Foundation launched a dedicated post-quantum team in January 2026, and Stellar has published a migration roadmap . For Bitcoin specifically, the Coinbase board recommends a hybrid approach that combines elliptic-curve and post-quantum signatures, preserving backward compatibility so the network can transition gradually rather than through a disruptive hard cutover .
The immediate market-disruption surface is also narrower than the headline 7 million BTC suggests. A CoinShares investor note dated February 6, 2026 estimates that only about 10,200 BTC would plausibly create sudden market-disruption risk if P2PK wallets were exploited; much of the remainder sits across 32,607 roughly-50-BTC UTXOs that would be slow to drain even under aggressive assumptions . That slow-drain dynamic buys defenders time to respond once an attack begins.
The technical case for optimism is summarized bluntly by the Quantum Horizon authors:
"If migration starts early, governance is the binding constraint — not the technology." — Iosif M. Gershteyn and Jacob A. Alber, Quantum Horizon (source: arXiv 2606.14484).
In other words, the bull case does not require new science. It requires Bitcoin's stakeholders to begin a backward-compatible transition while the harvested-key clock still has slack — turning a solved cryptographic problem into a solved coordination one.
Bear Case: Governance Deadlock Before a CRQC Arrives
The bear case is that Bitcoin's stakeholders fail to coordinate in time, leaving exposed coins vulnerable when a cryptographically relevant quantum computer finally arrives. The technology to migrate exists; the consensus to deploy it may not. Post-quantum signature schemes could increase Bitcoin block sizes by up to 38× , straining throughput, node storage, and the decentralization trade-off that keeps full nodes cheap to run. Any upgrade that worsens that balance will be contested, and contested changes to Bitcoin move slowly.
Part of the exposed supply cannot be saved by any deadline. The Quantum Horizon paper estimates about 2.3 million BTC — roughly 12% of supply — is irreducibly at risk: lost wallets, Satoshi-era addresses, and dormant owners who cannot or will not migrate . No backward-compatible transition reaches a key whose owner is gone. That leaves the network with politically charged choices about coins it cannot move on the owner's behalf.
The Coinbase Independent Advisory Board lays out the contentious options bluntly. For abandoned or vulnerable coins, the network can freeze or burn them after a deadline, do nothing, or take a middle path that caps per-block movement of vulnerable coins or accepts cryptographic proofs in place of legacy signatures . The board cautions that forced burning "overrides property rights and sets a precedent for network-level interference" — a position CoinShares and Deloitte echo around neutrality and consensus risk. Either path requires the kind of agreement Bitcoin has historically taken years to reach.
The worst-case timing compresses all of this. If a CRQC arrives ahead of the median forecast — Quantum Horizon puts roughly one-in-six odds by 2035 — while exchange cold wallets still hold exposed keys, custodied retail funds become high-value targets in a narrow window before any protocol upgrade could take effect. The bear case is not that the cryptography breaks unexpectedly; it is that governance deadlock and an early hardware breakthrough overlap, and the coordination problem the bull case assumes gets solved simply isn't.
Portfolio and Custody Implications for Retail Traders
For retail traders, the correct response is custody hygiene plus tail-risk positioning — not selling Bitcoin. The single highest-value, zero-cost action is to stop reusing addresses: generate a fresh receiving address for every inbound transaction, which most modern hardware and software wallets do automatically through HD wallet derivation. Doing so keeps your public key hashed until you actually spend, removing your balance from the roughly 5 million BTC the Coinbase board attributes to address reuse .
Beyond hygiene, prioritize migration. Move balances out of legacy Pay-to-Public-Key (P2PK) outputs and any previously reused P2PKH addresses into output types that keep keys hidden until spend — native SegWit (P2WPKH) or Taproot (P2TR). This matters most for self-custodied coins sitting in older address formats, since the Quantum Horizon paper classes roughly 3.7 million BTC as still migratable to safer paths versus about 2.3 million BTC that are likely stranded with dormant or lost owners .
Custody due diligence is the part traders most often skip. The Coinbase board explicitly named exchange cold wallets among the exposed balances, meaning custodied funds — not only forgotten Satoshi-era coins — fall into the at-risk bucket . Ask your exchange or custodian for its post-quantum migration roadmap now, before one becomes a regulatory requirement.
"The upgrade work shouldn't wait," the Coinbase Independent Advisory Board on Quantum Computing and Blockchain concluded, urging the network to begin a gradual, backward-compatible transition rather than waiting for a cryptographically relevant quantum computer to exist (source: CoinDesk, 2026-04).
Frame this as tail-risk repricing, not an exit signal. CoinShares rates the near-term disruption risk as distant and manageable for institutional investors, estimating only about 10,200 BTC would plausibly create sudden market-disruption risk if compromised . The actionable trade is positioning ahead of a quantum discount being priced into exposed-address balances as CRQC probability milestones — the Global Risk Institute's 28–49% within ten years, for instance — are crossed.
The concrete takeaway: spend an hour this week confirming your wallet auto-rotates addresses, sweep coins out of any reused or P2PK address into Taproot or native SegWit, and put your custodian's quantum roadmap on your due-diligence checklist. None of it requires predicting when the hardware arrives — only refusing to leave keys exposed while the clock runs.
Frequently asked questions
What is a 'harvest now, decrypt later' quantum attack on Bitcoin?
It is an attack that begins today and finishes years from now. No quantum computer can break Bitcoin's cryptography in 2026, so there is no real-time exploit window — instead, an adversary records the public keys that are already permanently visible on the blockchain and waits to crack the matching private keys once a cryptographically relevant quantum computer (CRQC) exists. The Coinbase Independent Advisory Board on Quantum Computing and Blockchain, launched in January 2026, identifies this as the live concern and estimates roughly 7 million BTC exposed in this way . Because the data is captured now and decrypted later, moving exposed coins before a CRQC arrives is the only reliable defense.
How does address reuse expose Bitcoin to a quantum attack?
Address reuse converts a hidden public key into a permanently readable one. With standard Pay-to-Public-Key-Hash (P2PKH) addresses, the public key stays hidden behind a hash until you first spend from the address; if you never reuse it, the key is exposed only briefly. But reusing a receive address leaves its public key written permanently in the ledger, after which a future CRQC can run Shor's algorithm against the secp256k1 elliptic-curve key to derive the private key. Deloitte's blockchain scan found over 4 million BTC vulnerable on these grounds — about 2 million BTC in legacy P2PK and roughly 2.5 million BTC in reused P2PKH addresses . The Coinbase board attributes the larger 5 million BTC reuse bucket largely to active users and exchange cold wallets .
Is my hardware wallet (Ledger, Trezor) safe from the quantum threat?
A hardware wallet does not change your on-chain exposure. Devices like Ledger and Trezor protect private keys from online theft and malware, but quantum risk lives in the public ledger, not in the storage device. Your safety depends entirely on whether the receiving addresses have been reused or are legacy Pay-to-Public-Key (P2PK) types — about 1.7 million BTC sit across roughly 20,000 P2PK addresses whose public keys are permanently visible regardless of how the keys are stored . The practical step is to avoid address reuse and sweep funds into output types that keep keys hashed until spend, not to trust the device alone.
When will quantum computers be strong enough to crack Bitcoin?
Most credible forecasts point to a runway of at least a decade, though no date is certain. The Global Risk Institute's 2025 timeline report, drawing on 26 experts, puts a CRQC at 28–49% within 10 years and 51–70% within 15 years . The academic 'Quantum Horizon' paper estimates roughly a one-in-six chance of a CRQC by 2035 and near 30% by 2040 . The hardware gap reinforces the timeline: breaking secp256k1 is modeled at hundreds of thousands of physical qubits — one analysis suggests under 500,000 under specific assumptions — versus only about 1,000–1,200 physical qubits available in 2026 .
What are the main options for handling Bitcoin coins that cannot be migrated?
The Coinbase board outlines three paths for abandoned or unmigratable coins, including the roughly 2.3 million BTC that may be dormant, lost, or Satoshi-era and unable to move . First, freeze or burn vulnerable coins after a migration deadline — a contested option the board warns "overrides property rights and sets a precedent for network-level interference." Second, do nothing and accept ongoing exposure. Third, a middle path that caps per-block movement of vulnerable coins or accepts cryptographic proofs in place of legacy ECDSA signatures. The board signals a preference against coercive measures and frames the binding constraint as governance rather than technology, a tradeoff CoinShares and Deloitte echo .
