Bitcoin's quantum problem isn't really about Satoshi Nakamoto's coins. It's about whether a network built on absolute property rights can agree to protect holders before exposed keys become a live target.
The cleanest version of the argument is uncomfortable: if a future quantum computer can derive private keys from exposed Bitcoin public keys, then doing nothing leaves old coins open to theft. Locking or burning those coins would stop the thief, but it would also tell every holder that Bitcoin's guarantees can be rewritten when enough people agree the risk is serious enough.
That is not a small governance question. It goes straight to the thing Bitcoin sells better than any exchange, ETF issuer or mining company ever could: final settlement without permission. Once you accept that coins can be made unspendable for security reasons, you have to decide who gets to define the security reason next time.
The technical work is real. BIP-360, published in the Bitcoin BIPs repository as Pay-to-Merkle-Root, was assigned on December 18, 2024 and remains in draft status. Its authors, Hunter Beast, Ethan Heilman and Isabel Foxen Duke, describe it as a new output type that removes Taproot's quantum-vulnerable key path spend while keeping script tree functionality. It doesn't solve every quantum problem. The proposal itself says protection against faster short exposure attacks may require post-quantum signatures later.
That distinction matters. A long exposure attack targets public keys already sitting on the blockchain for as long as the attacker needs. Satoshi-era Pay-to-Public-Key outputs are the famous example, because early miners often left public keys visible. Reused addresses create the same problem in a less mythic way. If you've exposed a public key and still hold coins there, you are depending on elliptic-curve cryptography staying out of reach of quantum machines.
Google's Quantum AI researchers made that risk harder to wave away. In a March 30, 2026 paper, Ryan Babbush, Craig Gidney, Hartmut Neven, Justin Drake, Dan Boneh and co-authors estimated that breaking the 256-bit elliptic curve discrete logarithm problem could be done with fewer than 1,500 logical qubits and, on some superconducting assumptions, fewer than half a million physical qubits running for minutes. The Wall Street Journal reported from the paper that about 6.9 million bitcoin, worth roughly $468 billion at the time, sat in addresses vulnerable to quantum attack.
You don't need to believe a wallet-draining machine arrives next year for that number to matter. A June 2026 paper titled Quantum Horizon put the risk in plainer terms: Bitcoin and Ethereum face a broad but mitigable quantum threat, with Bitcoin exposure concentrated in coins that are mostly migratable. Its model estimated roughly a one-in-six chance of a cryptographically relevant quantum computer by 2035, near 30% by 2040 and about 60% by 2050.
That is close enough for a protocol that moves slowly.
Frankly, the Satoshi framing is too neat. Yes, the roughly 1 million BTC attributed to Bitcoin's creator is a perfect symbol because nobody expects those coins to move. But the harder case is the ordinary holder who died, lost keys, ignored warnings, reused addresses years ago or simply didn't understand a migration deadline. Freezing those coins may protect the market from a quantum thief, but it still punishes someone who may have done nothing except fail to act in time.
The opposite choice is ugly too. If a quantum-capable attacker eventually drains millions of exposed coins, Bitcoin would not get to pretend that property rights had been preserved. The coins would move, the market would absorb the shock, and every holder would learn that neutrality can become negligence when the threat is visible years ahead.
This is why Bitcoin governance is the actual story. Developers can publish BIPs. Researchers can produce resource estimates. Wallet companies can warn customers to stop address reuse and move vulnerable coins. None of that forces miners, node operators, exchanges and holders to accept a consensus change that touches dormant wealth. Bitcoin has no CEO to call the meeting and no board to take the vote.
BIP-360 is deliberately narrow because narrow is how Bitcoin changes when it changes at all. It gives users a path toward better long exposure protection without proposing a mass freeze. Proposals to burn or lock vulnerable coins sit in a different political category, because they don't just add an option. They decide what happens to people who don't take it.
Here is the thing: Bitcoin can probably handle the cryptography. Post-quantum schemes exist, and the research path is visible. The harder test is whether a community built around distrust of central authority can coordinate before a quantum attacker gives it no choice. The dormant coins aren't moving on their own, and the clock no longer looks theoretical.
Also read: Kraken brings perpetual futures onshore and the offshore exchanges should be paying attention • The sandwich bot that preyed on Ethereum traders for years just got drained for $7.5 million • A USB stick is all it takes to empty your crypto wallet right now
