For years, “quantum computers will break Bitcoin” lived in the same mental folder as alien contact and the heat death of the universe — real in principle, irrelevant in practice. In May 2026, that complacency took a serious hit.
Security firm Project Eleven published an analysis, covered by CoinDesk in early May, arguing that Bitcoin’s migration to quantum-resistant cryptography will be harder than the Taproot upgrade — and that, given how long migrations take, it might already be too late to begin on a comfortable timeline. Days later, on May 24, CoinDesk reported security experts warning that artificial intelligence is accelerating the quantum threat. The conversation has shifted from “someday” to “how many years do we actually have, and are we using them?”
What Quantum Actually Threatens
First, the reassuring part: quantum computers cannot break Bitcoin mining, and they cannot rewrite or reorganize the ledger. Proof-of-work and the hash functions securing the chain’s history are not the soft target.
The soft target is wallet ownership. Bitcoin uses elliptic-curve cryptography (ECDSA) to link a private key to a public key, and the public key to your coins. A sufficiently powerful quantum computer running Shor’s algorithm could, in theory, derive a private key from a public key that is visible on-chain. Once an attacker has your private key, they own your coins — no hacking of the network required.
That word — visible — is the crux. As long as a public key has never been exposed, it is shielded behind a hash. But the moment a public key appears on-chain, the clock starts.
The 6.9 Million Bitcoin Problem
Here is the figure that turned an abstract debate into an urgent one: roughly 6.9 million BTC are already exposed to a future quantum attack because their public keys are visible on the blockchain.
That exposure comes from a few sources:
- Early “pay-to-public-key” outputs, including coins associated with Satoshi Nakamoto’s earliest holdings, which published the raw public key directly.
- Reused addresses, where spending from an address once reveals its public key, leaving any remaining or future balance at that address exposed.
These are not coins you can simply quietly upgrade. Some sit in wallets whose owners are inactive, unreachable, or — in Satoshi’s case — almost certainly gone. A quantum-capable adversary would not need to break Bitcoin in the abstract; they could pick off the most exposed millions of coins first.
The Timeline Fight
So how long do we have? This is where credible experts genuinely disagree.
The more relaxed camp — including advisers associated with Google and Coinbase — estimates 5 to 10 years, and describes the machine capable of breaking ECDSA as “at least two major engineering leaps away.” Quantum hardware today is nowhere near the scale and error-correction needed.
Project Eleven’s analysis is less sanguine. It argues that, based on current trajectories, “Q-Day” is more likely than not by 2033 — and potentially as early as 2030. And the AI-acceleration warnings from late May suggest the curve could steepen faster than linear extrapolation implies.
But the most important number in this debate is not Q-Day. It is the migration time. Even the optimistic 5-to-10-year window is dangerous if moving the entire ecosystem onto quantum-safe cryptography takes nearly that long. Which, history suggests, it might.
Why This Is Harder Than Taproot
The natural rebuttal is: Bitcoin has upgraded before, it can upgrade again. Project Eleven’s point is that this upgrade is categorically harder.
Consider Taproot. It took roughly five years from concept to activation, and even then it remained opt-in — users adopted it at their own pace, and nothing broke if they didn’t.
A post-quantum migration cannot work that way. To actually be secure, every user, every wallet, and every exchange would need to move funds to quantum-resistant address types before Q-Day. Coins left behind in exposed, legacy formats stay vulnerable. A partial migration is, for the exposed coins, no migration at all.
Layer on Bitcoin’s defining characteristics — no central authority, deliberate change-resistance, and a culture that treats urgency itself with suspicion — and you have a system structurally optimized against the kind of coordinated, deadline-driven upgrade the quantum threat demands.
The contrast with Ethereum is instructive. Ethereum reportedly has a more coordinated, better-funded post-quantum roadmap. Bitcoin has research, proposals, and debate — but no unified plan with a timeline behind it.
BIP-360, BIP-361, and the Path Forward
There is real work underway. Proposals such as BIP-360 and BIP-361 are being watched as potential foundations for quantum-resistant signatures and the eventual migration path. The central argument from the alarmed camp is simple: the developer community should move post-quantum signature options from research into production rather than waiting for certainty about quantum timelines. By the time Q-Day is provably near, the multi-year migration window will have closed.
That is the uncomfortable logic of the “too late” framing. You cannot start migrating after the threat arrives. You have to finish before it does.
What Holders Can Do Now
You don’t need to panic, but you can stop adding to the exposed pile:
- Avoid address reuse. Use a fresh address for each receive. Modern HD wallets do this by default — let them. Reusing an address publishes its public key and erases the hash-based protection.
- Move coins out of legacy, exposed address types over time, especially anything sitting at a reused or pay-to-public-key address.
- Favor wallets and custodians that are publicly planning for post-quantum support. Their readiness will matter when migration tooling lands.
- Watch the BIPs. BIP-360 and BIP-361 are the threads to follow; their progress is a real signal of how seriously the migration is being taken.
The Takeaway
The quantum threat to Bitcoin is not science fiction, and it is no longer comfortably distant. The cryptography securing wallet ownership has a finite shelf life, roughly 6.9 million coins are already in the exposed column, and the one upgrade Bitcoin most needs is the one its design makes hardest to coordinate.
Project Eleven’s warning is not that the sky is falling in 2026. It is that the window to prepare is shorter than the preparation requires — and that a network famous for moving slowly may be facing the one deadline it cannot afford to miss.
