Why Satoshi’s wallet is a prime quantum target
Satoshi’s 1.1 million BTC wallet is increasingly being viewed as a potential quantum vulnerability as researchers assess how advancing computing power could impact early Bitcoin addresses.
Satoshi Nakamoto’s estimated 1.1 million Bitcoin (BTC) is often described as the ultimate “lost treasure” of the cryptocurrency world. It sits on the blockchain like a dormant volcano, a digital ghost ship that hasn’t seen an on-chain transaction since its creation. This enormous stash, worth approximately $67 billion to $124 billion at current market exchange rates, has become the stuff of legend.
But for a growing number of cryptographers and physicists, it is also considered a multibillion-dollar security risk. The threat is not a hacker, a server breach, or a lost password; It is the emergence of a completely new form of computing: quantum computing.
As quantum machines move from theoretical research laboratories to powerful functional prototypes, they represent a potential threat to existing cryptographic systems. This includes the encryption that protects Satoshi coins, the broader Bitcoin network, and parts of the global financial infrastructure.
This is not a distant “what if?” The race to build a quantum computer and quantum-resistant defense is one of the most critical and well-funded technological efforts of our time. Here’s what you need to know.
Why Satoshi’s First Wallets Are Easy Quantum Targets
Most modern Bitcoin wallets hide the public key until a transaction occurs. Legacy Satoshi pay-to-public-key (P2PK) addresses do not, and their public keys are permanently exposed on-chain.
To understand the threat, it is important to recognize that not all Bitcoin addresses are created equal. The vulnerability lies in the type of address Satoshi used in 2009 and 2010.
Today, most Bitcoin is held in pay-to-public-key (P2PKH) addresses, starting with “1”, or in newer SegWit addresses starting with “bc1.” In these types of addresses, the blockchain does not store the full public key when the coins are received; It stores only a hash of the public key, and the actual public key is revealed only when the coins are spent.
Think of it like a bank mailbox. The address hash is the mailslot; Anyone can view it and deposit money. The public key is the closed metal door behind the slot. No one can see the lock or its mechanism. The public key (the “lock”) is only revealed to the network at the one time you decide to spend the coins, at which point your private key “unlocks” it.
Satoshi coins, however, are stored in much older P2PK addresses. In this legacy format, there is no hash. The public key itself, the lock in our analogy, is visibly and permanently recorded on the blockchain for everyone to see.
For a classic computer, this does not matter. It is still virtually impossible to reverse engineer a public key to find the corresponding private key. But for a quantum computer, that exposed public key is a detailed blueprint. It’s an open invitation to come pick the lock.
How Shor’s Algorithm Lets Quantum Machines Break Bitcoin
Bitcoin’s security, the Elliptic Curve Digital Signature Algorithm (ECDSA), is based on mathematics whose reversal is computationally infeasible for classical computers. Shor’s algorithm, if run on a powerful enough quantum computer, is designed to break that math.
Bitcoin’s security model is based on ECDSA. Its strength comes from a one-way mathematical assumption. It’s easy to multiply a private key by a point on a curve to get a public key, but it’s essentially impossible to take that public key and reverse the process to find the private key. This is known as the elliptic curve discrete logarithm problem.
A classical computer does not know any way to “split” this operation. Your only option is brute force, guessing all possible keys. The number of possible keys is 2256, a number so vast that it exceeds the number of atoms in the known universe. That’s why Bitcoin is safe from all classical supercomputers on Earth, now and in the future.
A quantum computer wouldn’t guess. I would calculate.
The tool for this is Shor’s algorithm, a theoretical process developed in 1994. On a sufficiently powerful quantum computer, the algorithm can use quantum superposition to find the mathematical patterns, specifically the period, hidden within the elliptic curve problem. You can take an exposed public key and, in a matter of hours or days, reverse engineer it to find the unique private key that created it.
An attacker would not need to hack a server. They could simply collect the exposed P2PK public keys from the blockchain, feed them into a quantum machine, and wait for the private keys to be returned. They could then sign a transaction and move the 1.1 million Satoshi coins.
Did you know? It is estimated that breaking the Bitcoin encryption would require a machine with approximately 2,330 stable logical qubits. Because current qubits are noisy and error-prone, experts believe that a fault-tolerant system would need to combine more than 1 million physical qubits just to create those 2,330 stable ones.
How close are we to a Q-Day?
Companies like Rigetti and Quantinuum are racing to build a cryptographically relevant quantum computer, and the timeline is shrinking from decades to years.
“Q-Day” is the hypothetical moment in which a quantum computer will be able to break the current encryption. For years, it was considered a “10 to 20 year” distant problem, but that timeline is now rapidly compressing.
The reason we need 1 million physical qubits to get 2330 logical ones is quantum error correction. Qubits are incredibly fragile. They are noisy and sensitive to even slight vibrations, temperature changes or radiation, which can cause them to decohere and lose their quantum state, causing errors in calculations.
To perform a calculation as complex as breaking ECDSA, you need stable logical qubits. To create a single logical qubit, you may need to combine hundreds or even thousands of physical qubits in error-correcting code. This is the overhead of the system to maintain stability.
We are in a rapidly accelerating quantum race.
Companies like Quantinuum, Rigetti, and IonQ, along with tech giants like Google and IBM, are publicly pursuing aggressive quantum roadmaps.
Rigetti, for example, remains on track to achieve a system of more than 1,000 qubits by 2027.
This public-facing progress does not take into account classified research at the state level. In theory, the first nation to reach Q-Day could have a master key to access global financial and intelligence data.
Therefore, the defense must be built and deployed before the attack is possible.
Why millions of Bitcoin are exposed to quantum attacks
A 2025 report from the Human Rights Foundation found that 6.51 million BTC are located in vulnerable addresses, of which 1.72 million, including Satoshi’s, are considered lost and immovable.
Satoshi’s wallet is the biggest prize, but not the only one. An October 2025 report from the Human Rights Foundation analyzed the entire blockchain for quantum vulnerability.
The findings were clear:
6.51 million BTC are vulnerable to long-range quantum attacks.
This includes 1.72 million BTC in very early address types that are believed to be inactive or potentially lost, including the 1.1 million BTC estimated by Satoshi, many of which are in P2PK addresses.
Another 4.49 million BTC are vulnerable, but could be secured through migration, suggesting their owners can probably still take action.
This stash of 4.49 million BTC belongs to users who made a critical mistake: reusing addresses. They used modern P2PKH addresses, but after spending on them (which reveals the public key), they received new funds at that same address. This was a common practice in the early 2010s. By reusing the address, they permanently exposed their public key on-chain, making your modern wallet as vulnerable a target as Satoshi’s.
If a hostile actor were the first to arrive at Q-Day, simply moving the Satoshi coins would serve as proof of a successful attack. It would instantly show that Bitcoin’s fundamental security had been broken, causing market-wide panic, a bank run on stock markets, and an existential crisis for the entire crypto ecosystem.
Did you know? A common tactic is discussed It’s “harvest now, decipher later.” Malicious actors are already recording encrypted data, such as Internet traffic and blockchain public keys, with the intention of decrypting it within a few years once they have a quantum computer.
How Bitcoin Could Move to Quantum Safe Protection
The entire tech world is moving towards new quantum-resistant standards. For Bitcoin, this would require a major network upgrade, or fork, to a new algorithm.
The crypto community is not waiting for this to happen. The solution is post-quantum cryptography (PQC), a new generation of encryption algorithms based on different, more complex mathematical problems that are believed to be secure against classical and quantum computers.
Instead of elliptic curves, many PQC algorithms are based on structures such as lattice-based cryptography. The US National Institute of Standards and Technology has been leading this effort.
In August 2024, the National Institute of Standards and Technology published the first finalized PQC standards.
Key to this discussion is ML-DSA (Lattice Module Based Digital Signature Algorithm), part of the CRYSTALS-Dilithium standard.
The tech world in general is already adopting it. As of late 2025, OpenSSH 10.0 had adopted a PQC algorithm as the default and Cloudflare reported that the majority of its web traffic is now protected by PQC.
For Bitcoin, the way forward would be a network-wide software update, almost certainly implemented as a soft fork. This update would introduce new types of quantum-resistant addresses, such as the proposed “P2PQC” addresses. I wouldn’t force anyone to move. Instead, users could voluntarily send their funds from older, more vulnerable addresses, such as P2PKH or SegWit, to these new secure addresses. This approach would be similar to how the SegWit update was implemented.
