Author: Tanay Ved, Senior Researcher at Coin Metrics; Translation: @jinsecaijingxz
While quantum computers do not currently pose a real threat to blockchain encryption systems, recent technological breakthroughs have significantly shortened the window of opportunity for response, pushing the industry into a proactive preparedness phase.
It is estimated that approximately 6.9 million BTC are at risk of quantum computing attacks due to the use of legacy address types and key reuse, of which approximately 1.7 million BTC (9% of the supply) exist in dormant tokens from the Satoshi Nakamoto era and are difficult to migrate.
It is estimated that approximately 6.9 million BTC are at risk of quantum computing attacks due to the use of legacy address types and key reuse, of which approximately 1.7 million BTC (9% of the supply) exist in dormant tokens from the Nakamoto era and are difficult to migrate.
Quantum risks vary depending on the blockchain's address structure, signature scheme, and consensus model. Various ecosystems are actively advancing proposals and post-quantum roadmaps to adopt new signature schemes. The rapid development of quantum computing is transforming what was once a distant theoretical possibility into a concrete challenge for the underlying encryption technology of blockchains. Recent research by Google's quantum AI team shows that the resources and time required to build a quantum computer capable of breaking the elliptic curve cryptography relied upon by Bitcoin and other blockchains are decreasing. Coinbase's Quantum Advisory Committee also points out that although such machines have not yet been created, the window for migrating to quantum-resistant encryption has opened. As this risk becomes increasingly imminent, developers, network participants, investors, and large institutional holders will play a crucial role in guiding the decentralized ecosystem towards a quantum-resistant future. This article will delve into the risks of quantum computing to blockchain encryption, focusing on Bitcoin's exposure, the controversy surrounding dormant tokens, and the current paths Ethereum and Solana are taking towards quantum-resistant preparedness. 2. Understanding the Imminent Quantum Risks Blockchain security relies on cryptographic signatures that are difficult for traditional computers to crack but could be broken by quantum computers. Currently, Bitcoin, Ethereum, and most other networks use elliptic curve signatures (such as ECDSA and BLS) to prove that the private key holder has authorized a transaction. In principle, quantum algorithms such as the Shor algorithm can derive the private key from the corresponding public key, meaning that once such a machine becomes available, any address with an exposed public key could become a target for attack. This risk manifests primarily in two forms, depending on whether the public key has been exposed in the transaction: Static (Long-Term) Attacks: Targeting wallets, validator keys, and contracts whose public keys are publicly visible on the chain. Future quantum computers could deduce private keys and steal funds without the owner making any new moves. Dynamic (Short-Term) Attacks: Attacking transactions within the short window between the public key being exposed through a spending activity and the transaction being confirmed. Fast quantum computers can race against time to sign conflicting transactions before the network. Bitcoin's approximately 10-minute block time creates a longer risk exposure window than faster chains like Ethereum (approximately 12 seconds) or Solana (sub-second finality).
Bitcoin's quantum risk primarily exists at the wallet level, and its level depends on how the UTXO model and address types handle public keys. Each unspent transaction output (UTXO) is locked in a script bound to a public-private key pair. As long as the public key remains hidden, it is difficult for quantum attackers to launch an attack. However, once the key is exposed on-chain, future quantum computers can deduce the private key and forge valid spending.
Therefore, the root of Bitcoin's risk lies in whether the public key has been exposed, and the risk varies depending on the address type and reuse:
P2PK (Pay to Public Key): Includes some of the earliest tokens from the "Satoshi era," tokens from early miners, and tokens from Satoshi Nakamoto himself.
P2PK (Pay to Public Key): Includes tokens from the earliest tokens of the "Satoshi era," tokens from early miners, and tokens from Satoshi Nakamoto himself.
P2TR (Taproot): This type of address improves flexibility and privacy, but by directly embedding the modified public key into the address, it makes future quantum attackers have a visible target from the outset.
The following diagram illustrates the evolution of the adoption of these address types in Bitcoin's history, highlighting the shift from traditional P2PK/P2PKH to Segregated Witness outputs. This shift is gradually moving new tokens to addresses with structurally smaller quantum risk exposure.
P2TR (Taproot): This type of address improves flexibility and privacy, but by directly embedding the modified public key into the address, it makes future quantum attackers have a visible target from the outset.
The following diagram illustrates the evolution of the adoption of these address types in Bitcoin's history, highlighting the shift from traditional P2PK/P2PKH to Segregated Witness outputs. This shift is gradually moving new tokens to addresses with structurally smaller quantum risk exposure.
P2TR (Taproot)
According to estimates from the quantum computing white paper released by Project Eleven and Google in March, approximately 6.9 million BTC are stored in addresses where public keys have been exposed. These public key exposures include: key leaks caused by using traditional P2PK outputs (whose public keys are publicly visible on-chain from generation) or by address reuse (where the public key is permanently broadcast to the network during consumption).
We scanned the first 500,000 Bitcoin blocks using the Coin Metrics ATLAS system and confirmed that approximately 2.3 million BTC are stored in high-risk addresses. Of these, approximately 1.7 million are likely from P2PK creation outputs from the Satoshi Nakamoto era and early miner era. The remaining approximately 4.6 million high-risk BTC are mainly distributed in blocks generated after 2017. As the address type adoption trend shows, traditional P2PKH address generation has never completely stopped, and since the introduction of Segregated Witness and Taproot, the reuse of addresses in both old and new formats has increased year by year.
100 BTC), and another approximately 110,000 BTC are held by nearly 20,000 small accounts. Quantum risk thus diverges into two categories: one is P2PK output from the Satoshi Nakamoto era, which carries the highest risk but is dispersed across a large number of small addresses; the other is a few high-value wallets (such as exchange cold wallets) whose public keys are exposed due to key reuse, which are more attractive to individual targets but can participate in migration more actively. Quantum risk also varies depending on the network's address structure, signature scheme, and governance model. As we have seen, Bitcoin's main risk exposure lies at the wallet and UTXO levels—traditional address types expose the public keys of some tokens, but its Proof-of-Work (PoW) mining mechanism and hash function are currently largely secure. In contrast, blockchains like Ethereum and Solana employ an account model. Under this model, the public key of the externally owned account (EOA) is fully exposed after a transaction is initiated, putting a larger proportion of the asset's value at risk, while in Bitcoin's UTXO model, many tokens are still hash-protected and address reuse is less common. Furthermore, Proof-of-Stake (PoS) chains like Ethereum and Solana face additional risks due to validators protecting the elliptic curve signatures used by the network. This makes governance and risk mitigation consensus key variables, and networks with different characteristics and degrees of decentralization will exhibit significant differences in the speed at which they adopt quantum-resistant upgrades.The core of protecting Bitcoin from quantum threats lies in enabling quantum-resistant signatures and migrating tokens to secure address types. This involves the supply of "dormant" assets that are difficult to migrate, directly addressing the core contradiction in Bitcoin governance trade-offs. Currently discussed proposals include:
BIP-360 proposes a new payment to Merklegen output type that reduces long-term quantum risk exposure by removing key path expenditures, allowing scripts to keep public keys off-chain until use.
London has seen a rise in street-level crypto thefts, with criminals targeting mobile phones to steal tens of thousands of pounds from wallets. Some victims have been refunded by exchanges like Coinbase, but many losses remain unrecovered as police investigations struggle to keep up.
AnaisArthur Hayes sold all his HYPE tokens, making about $823,000 profit and saying the money will help buy a Ferrari. He had recently predicted big gains for HYPE but warned that a large token release soon could push prices down.
WeatherlyEU finance ministers agreed on a framework giving them more control over the proposed digital euro, including limits on individual holdings. The project still needs European Parliament approval, with full issuance unlikely before 2028 amid concerns over privacy, stability, and regulatory burdens.
WeatherlyA teenage hacker and an accomplice accessed a Crypto.com employee account, exposing personal information of a small number of users. No customer funds were stolen, but the breach has raised questions about the exchange’s security and transparency.
AnaisFutu Securities and Tiger Brokers have tightened rules, now only allowing mainland Chinese residents with permanent overseas residency to open new accounts. This change limits access to offshore trading after regulators cracked down on cross-border brokerage activity.
AnaisA game on Steam called Block Blasters secretly contained malware that stole over \$150,000 in cryptocurrency from players. The attack hit hundreds of users, including a streamer raising funds for cancer treatment, and raised concerns about Steam’s platform security.
WeatherlySouth Korean police broke up a fraud ring in Pattaya, Thailand, accused of stealing about $15 million from nearly 900 victims. Twenty-five suspects were arrested, while the alleged ringleader and others remain in Thai custody as extradition continues.
WeatherlyHong Kong has set up a new task force to tackle the rise in crypto and virtual asset scams. Authorities have already made over 70 arrests and are pushing for stronger rules to help platforms stop suspicious transactions quickly.
WeatherlyBolivians are increasingly using Tether (USDT) for purchases, with a recent Toyota sale completed entirely in cryptocurrency. Stablecoins are gaining ground as a practical alternative to scarce US dollars amid rising inflation and limited cash access.
AnaisA US court has rejected Justin Sun’s attempt to stop Bloomberg from reporting his crypto holdings worth over $3 billion. The judge ruled there was no confidentiality agreement and dismissed his security concerns, allowing the details to be published.
Anais