Independent researcher Giancarlo Lelli cracked a 15-bit elliptic curve key on publicly available quantum hardware, winning a 1 BTC bounty and setting a new public record that is simultaneously impressive and a reminder of how far quantum computers still need to travel before real cryptographic systems face genuine risk.
On April 24, Project Eleven, a quantum security research firm, awarded its Q-Day Prize to Lelli after he demonstrated a 512-fold improvement over the previous public record , a 6-bit elliptic curve break performed by engineer Steve Tippeconnic in September 2025 using IBM's 133-qubit quantum computer. Lelli's 15-bit result required 27 physical qubits and approximately 45 minutes of computation time on publicly accessible hardware. Project Eleven described it as the largest public demonstration to date of the attack class that threatens Bitcoin, Ethereum, and over $2.5 trillion in ECC-secured digital assets. That framing is accurate and, simultaneously, requires careful unpacking before it triggers a portfolio reallocation.
Bitcoin uses 256-bit elliptic curve cryptography to secure wallets. A 15-bit key is not a scaled-down version of that , it is a fundamentally different problem. The computational difficulty of breaking ECC does not scale linearly with key size. Every additional bit roughly doubles the difficulty, meaning the gap between 15 bits and 256 bits represents approximately 2 to the power of 241 times more difficulty, a number that has more digits than can be usefully printed. The practical implication is that Lelli's demonstration, while a genuine milestone, tells us where quantum hardware stood in early 2026, not where it will stand when it matters for real cryptographic security. No Bitcoin wallet is at risk from a 27-qubit quantum computer. The record exists to measure progress, not to announce a threat.
What makes the milestone significant is the trajectory it represents. The jump from 2 bits in 2024 to 6 bits in September 2025 to 15 bits in April 2026 is not linear arithmetic , it reflects genuine improvements in qubit coherence, error correction, and algorithm implementation. The attack uses a variant of Shor's algorithm, designed to solve the discrete logarithm problem that underpins ECC security. As quantum hardware matures and error rates fall, the same algorithm runs on larger problems with the same basic structure. The rate of improvement is what the security community is actually watching, not the current record.
The Algorithm Improvements Happening in Parallel
Hardware progress is only half the picture. At EUROCRYPT 2026 in March, French researchers published the Chevignard-Fouque-Schrottenloher algorithm, a new quantum circuit for solving the 256-bit Elliptic Curve Discrete Logarithm Problem that reduces the required logical qubit count from 2,124 , the previous best estimate , to 1,193. That is a 42% reduction in the theoretical resource requirement for breaking Bitcoin's encryption, achieved entirely through algorithmic optimization with no new hardware. In the same month, Google published a whitepaper on securing elliptic curve cryptocurrencies against quantum attacks, updating resource estimates and noting that an attack using fewer than 500,000 physical qubits could theoretically break P-256 in minutes, once fault-tolerant quantum computers at that scale exist. Google has separately warned that rapidly advancing quantum computers could break most current encryption standards by 2029.
The combination of hardware progress and algorithmic efficiency gains means the timeline estimates that seemed conservative three years ago are being revised downward. A threat model that placed meaningful quantum risk to ECC beyond 2035 is now being reconsidered in the 2028 to 2032 window by serious researchers. That range carries significant uncertainty in both directions. But the directional signal from April 2026 , hardware records falling, algorithm requirements shrinking, major labs publishing updated threat timelines , is consistent enough to treat post-quantum migration as an active planning priority rather than a theoretical future concern.
The Harvest-Now-Decrypt-Later Problem
For the crypto industry specifically, there is a threat vector that does not require breaking 256-bit ECC today. Adversaries conducting what security researchers call harvest-now-decrypt-later operations are already collecting encrypted blockchain data and transaction signatures, banking on future quantum capability to extract private keys retroactively. Bitcoin's UTXO model creates a specific vulnerability: addresses that have sent transactions expose their public keys on-chain, and those public keys can be targeted by a sufficiently capable future quantum computer. Estimates place approximately four million Bitcoin, worth over $400 billion at current prices, in addresses with exposed public keys. Those funds are not at risk today. Under a realistic Phase 2 quantum threat timeline beginning around 2028, they become a meaningful target.
The Bitcoin development community has been debating post-quantum signature schemes for years without consensus on implementation. Ethereum's roadmap includes quantum resistance as a longer-term consideration. Neither network has a deployed migration path for users holding funds in exposed addresses. The 15-bit break is not an emergency signal. It is a clock signal , a reminder that the timeline for solving a problem the industry has been deferring is compressing, and that the gap between "not yet" and "too late to migrate gracefully" is now being measured in years rather than decades.
Also read: Humanoid robots can walk, talk, and sort packages but still fumble the hard stuff • Humanoid robots can walk, talk, and sort packages but still fumble the hard stuff • Your 2027 car may watch your eyes and decide whether you are fit to drive
