Why Satoshi’s wallet is a prime quantum target
Satoshi’s 1.1 million BTC wallet is increasingly viewed as a potential quantum vulnerability as researchers assess how advancing computing power may affect early Bitcoin addresses.
Satoshi Nakamoto’s estimated 1.1 million Bitcoins (BTC) are often referred to as the ultimate “lost treasure” of the cryptocurrency world. It is a digital ghost ship that exists on the blockchain like a dormant volcano, with no on-chain transactions occurring since its creation. This huge stash, worth about $67 billion to $124 billion at current market rates, is the stuff of legend.
But for a growing number of cryptographers and physicists, it’s also seen as a multibillion-dollar security risk. The threat isn’t hackers, compromised servers, or lost passwords. It is the emergence of a completely new form of computation: quantum computing.
As quantum machines move from theoretical laboratories to powerful working prototypes, they pose a potential threat to existing cryptographic systems. This includes the encryption that secures Satoshi’s coins, the broader Bitcoin network, and parts of the global financial infrastructure.
This is not a distant “what if” story. The race to build both quantum computers and quantum-proof defenses is one of the most important and well-funded technological endeavors of our time. Here’s what you need to know:
Why Satoshi’s initial wallet is an easy target for quantum attacks
Most modern Bitcoin wallets hide the public key until a transaction occurs. Satoshi’s legacy Pay-to-Public-Key (P2PK) address is not, and its public key is permanently published on-chain.
To understand this threat, it’s important to realize that not all Bitcoin addresses are created equal. The vulnerability lies in the type of address Satoshi used in 2009 and 2010.
Most of today’s Bitcoins are held in public key hash payment (P2PKH) addresses starting with “1” or newer SegWit addresses starting with “bc1”. With these address types, the blockchain does not store the full public key when receiving coins. Only the hash of the public key is stored, and the actual public key is only revealed when the coin is spent.
Think of it like a bank mailbox. Address hashes are mail slots. Anyone can look at it and put money into it. The public key is a locked metal door behind the slot. No one can see the lock or its mechanism. The public key (the “lock”) is only revealed to the network at the one and only moment you decide to use the coin, at which point the private key “unlocks” it.
However, Satoshi’s coins are stored in a much older P2PK address. This legacy format has no hashes. The public key itself, or lock in our analogy, is visibly and permanently recorded on the blockchain for everyone to see.
For classic computers this is not a problem. Reverse engineering a public key to find the corresponding private key remains virtually impossible. But for a quantum computer, the published public key is a detailed blueprint. It’s an open invitation to come and unlock it.
How quantum machines can destroy Bitcoin using Scholl’s algorithm
Bitcoin’s security, the Elliptic Curve Digital Signature Algorithm (ECDSA), relies on mathematics that is computationally infeasible on classical computers. Scholl’s algorithm is designed to beat that mathematics if run on a sufficiently powerful quantum computer.
Bitcoin’s security model is built on ECDSA. Its strength is based on a one-way mathematical assumption. It’s easy to derive the public key by multiplying the private key by a point on a curve, but it’s basically impossible to take that public key and reverse the process to find the private key. This is known as the elliptic curve discrete logarithm problem.
Classical computers have no known way to “split” this operation. The only option is brute force to guess all possible keys. The number of possible keys is 2256, which is more than the number of atoms in the known universe. This is why Bitcoin is safe from all classical supercomputers on Earth, now and in the future.
Quantum computers cannot guess. It will be a calculation.
The tool for this is Scholl’s algorithm, a theoretical process developed in 1994. On sufficiently powerful quantum computers, algorithms can use quantum superposition to find hidden mathematical patterns, especially periods, within elliptic curve problems. You can take a published public key and reverse engineer it in hours or days to find the single private key that created it.
Attackers don’t need to hack your server. They just need to collect the published P2PK public key from the blockchain, input it into the quantum machine, and wait for the private key to be returned. They can then sign the deal and move Satoshi’s 1.1 million coins.
Did you know? To decrypt Bitcoin, it takes about 2,330 Stable logical qubit. Current qubits are so noisy and error-prone that experts believe that a fault-tolerant system would require combining more than 1 million physical qubits just to create 2,330 stable qubits.
How close is Q-Day?
Companies such as Rigetti and Quantinuum are racing to build quantum computers related to cryptography, compressing timelines from decades to years.
“Q-Day” is the hypothetical moment when quantum computers are able to break current encryption. For years, this problem was thought to be a “10-20 year” problem, but that timeline is now rapidly shrinking.
The reason it takes 1 million physical qubits to get 2,330 logical qubits is quantum error correction. Qubits are incredibly fragile. They are noisy and sensitive to even the slightest vibrations, temperature changes, and radiation, and can cause decoherence and loss of quantum state, leading to computational errors.
To perform complex calculations such as breaking ECDSA, stable logical qubits are required. Creating a single logical qubit may require combining hundreds or thousands of physical qubits to create an error-correcting code. This is system overhead to maintain stability.
We are in a rapidly accelerating quantum race.
-
Companies like Quantinuum, Rigetti, and IonQ are publicly pursuing aggressive quantum roadmaps, along with tech giants like Google and IBM.
-
For example, Righetti plans to reach systems with more than 1,000 qubits by 2027.
-
This published progress does not include classified state-level research. The first country to reach Q-Day could theoretically hold the master key to the world’s financial and information data.
Therefore, defenses must be built and deployed before an attack is possible.
Why millions of Bitcoins are subject to quantum attacks
According to a 2025 Human Rights Foundation report, 6.51 million BTC are in vulnerable addresses, of which 1.72 million BTC, including Satoshi’s, are considered lost and unmovable.
Satoshi’s wallet is the biggest prize, but it’s not the only one. The Human Rights Foundation’s October 2025 report analyzed quantum vulnerabilities across blockchains.
The findings were as follows.
-
6.51 million BTC is vulnerable to long-range quantum attacks.
-
This includes 1.72 million BTC in very early address types that are believed to be dormant or may have been lost, as well as Satoshi’s estimated 1.1 million BTC, much of it in P2PK addresses.
-
An additional 4.49 million BTC is vulnerable but could be secured through migration, suggesting that owners are still likely to be able to act.
This stash of 4.49 million BTC belongs to a user who made the grave mistake of reusing addresses. They were using the latest P2PKH address, but after spending money from it (revealing their public key), they received new funds to the same address. This was common in the early 2010s. By reusing addresses, they permanently exposed their public keys on-chain, turning their modern wallets into targets as vulnerable as Satoshi’s.
If a hostile attacker were to reach Q-Day first, the simple act of moving Satoshi’s coin would serve as proof of a successful attack. It would instantly signal that Bitcoin’s fundamental security has been breached, causing market-wide panic, runs on exchanges, and an existential crisis for the entire crypto ecosystem.
Did you know? A common tactic is discussed “Harvest now, decrypt later.” Malicious attackers are already recording encrypted data, such as internet traffic and blockchain public keys, with the goal of decrypting it years later when they obtain a quantum computer.
How Bitcoin can switch to quantum security
The entire technology industry is transitioning to new quantum-proof standards. In the case of Bitcoin, this would require a major network upgrade, i.e. a fork to a new algorithm.
The crypto community is not waiting for this to happen. The solution is post-quantum cryptography (PQC). It is a new generation of cryptographic algorithms built on different and more complex mathematical problems that are considered secure for both classical and quantum computers.
Many PQC algorithms rely on structures such as lattice-based encryption instead of elliptic curves. The National Institute of Standards and Technology is leading this effort.
-
In August 2024, the National Institute of Standards and Technology published the first final PQC standard.
-
Key to this discussion is ML-DSA (Modular Lattice-Based Digital Signature Algorithm), which is part of the CRYSTALS-Dilithium standard.
-
The broader technology world is already adopting it. By late 2025, OpenSSH 10.0 made the PQC algorithm the default, and Cloudflare reported that the majority of web traffic was now protected by PQC.
In the case of Bitcoin, the way forward will be a network-wide software update, almost certainly implemented as a soft fork. This upgrade introduces new quantum-resistant address types, including the proposed “P2PQC” address. It doesn’t force anyone to move. Instead, users can voluntarily transfer funds from old vulnerable addresses such as P2PKH and SegWit to these new secure addresses. This approach is similar to how the SegWit upgrade was deployed.
