Quantum Computing Threatens Bitcoin: 6.5M BTC Exposed – Post‑Quantum Action for Custodians

Quantum Computing and Bitcoin: Two Real Paths That Could Unsettle Crypto Security

Executive summary

Quantum computing has moved from theoretical curiosity to a recognizable balance-sheet risk for institutions holding Bitcoin. Two realistic attack vectors exist: one targets signatures (the biggest worry) and the other could modestly accelerate brute-force tasks like mining. Coinbase research led by David Duong estimates roughly 6.51 million BTC—about 32.7% of supply—is currently exposed because of address reuse and legacy scripts. Regulators and asset managers are already checking this box; BlackRock added quantum-risk language to a May 2025 IBIT filing, and US/EU guidance is nudging critical infrastructure toward post‑quantum cryptography (PQC) by around 2035. Action for boards and custody teams is straightforward: inventory vulnerable holdings, pilot post‑quantum key approaches, and budget coordinated migrations now.

Why business leaders should care

This is not a remote academic debate. For custodians, exchanges, funds and corporate treasuries, a practical consequence of a cryptographically relevant quantum computer (CRQC) is simple: if attackers can derive private keys from public keys, funds can be stolen. That risk compresses timelines for operational and legal readiness. Planning now avoids rushed, error-prone migrations later—when stakes will be far higher.

Two quantum threats—explained simply

Here are the mechanics, without the deep math:

Shor’s algorithm — signature compromise

Bitcoin uses ECDSA (the digital-signature system that proves ownership). Shor’s algorithm, if run on a sufficiently powerful quantum computer, can recover a private key from a public key. Analogy: public keys are like published lock blueprints; Shor would be a machine that can manufacture the corresponding key.
Grover’s algorithm — faster brute force

Grover offers a quadratic speedup for search problems. That can accelerate hashing tasks (relevant to mining), but the speedup is nowhere near the exponential collapse Shor would cause for signature security. In practical terms, Grover may change economics slightly—making some mining marginally faster—but it is not an immediate existential threat to Bitcoin’s proof-of-work security.

How exposed is Bitcoin today? (estimates & caveats)

Coinbase’s research team, led by David Duong, highlights two practical exposure channels:

Legacy address types and address reuse (P2PK, P2MS, some early P2TR patterns) hold significant balances linked to revealed public keys.
Every time a UTXO (unspent transaction output) is spent, the transaction reveals the public key on the mempool for a short period—creating a tiny but real attack window if a CRQC exists and is used instantly.

The headline figure—about 6.51 million BTC (≈32.7% of supply)—reflects coins that are either tied to legacy scripts or have been subject to address reuse. That does not mean all of that BTC will be lost if a CRQC appears; migration and custodial defenses can reduce exposure. But the number is big enough to make custody teams and institutional investors take the risk seriously.

“Quantum computing introduces concrete pathways that could weaken Bitcoin’s cryptographic foundations, and investor timelines for quantum readiness are shrinking.” — paraphrase of David Duong, Coinbase research

Timelines and institutional reaction

Two timeline reference points matter for planning:

Regulatory nudges: US and EU guidance encouraging migration of critical systems to PQC by about 2035 puts pressure on financial market infrastructure — and by extension on exchanges and custodians that qualify as critical services.
Developer scenarios: Chaincode Labs and Bitcoin developers discuss two migration profiles: a rapid fallback (roughly 2 years) if a sudden hardware breakthrough occurs, or a gradual 5–7 year migration if progress remains incremental. Both require advance testing and coordination.

Institutional players are already pricing the risk. BlackRock added quantum risk language to an IBIT prospectus amendment (May 2025), signaling that mainstream asset managers expect crypto custody and disclosure to incorporate quantum considerations.

Post-quantum cryptography: practical migration options

Deploying PQC on Bitcoin isn’t about flipping a switch. Two candidate signature schemes have emerged as practical fits for blockchain use:

CRYSTALS‑Dilithium: A lattice-based scheme with relatively compact signatures and efficient verification—suitable for many use cases but with tradeoffs in signature size versus legacy ECDSA.
SPHINCS+: A hash-based scheme with very strong security assurances and forward resistance, but much larger signature sizes—impacting block-space and fee economics.

A likely rollout path is a soft fork that adds support for post‑quantum signature types alongside legacy ones. That preserves continuity while giving wallets, custodians and services a migration runway. Key challenges include ensuring signature verification costs are acceptable, limiting on-chain bloat, and coordinating a migration timeline to avoid creating new attack windows during sweeping operations.

Operational migration playbook (high-level)

Concrete steps custodians, exchanges and large holders should take now:

Inventory & classify

Map all holdings by address type (P2PK, P2PKH, P2TR, P2MS), flag reused addresses, and score each holding for exposure. Prioritize high-balance, legacy-script holdings and any addresses that will reveal public keys when spent.
Threat-model & insurance review

Update risk registers and insurance policies to include quantum scenarios. Confirm whether existing crime/technology insurance covers post-quantum key compromise.
Prototype PQC wallets and pilots

Test CRYSTALS‑Dilithium and SPHINCS+ wallets in an isolated environment. Validate multi-sig and threshold signature integrations with PQC primitives. Run adversarial sweeps and recovery drills.
Vendor & custody SLAs

Require vendors and custodial partners to publish PQC roadmaps, SLAs, and migration timelines. Include contractual commitments for secure sweeping and coordination during soft forks.
Phased migration & public coordination

Plan low-risk pilots first (small-value cold wallets), then staged sweeps of larger cold holdings. Coordinate public soft-fork activation signals to avoid chaotic migrations that could expose keys during sweeping.
Governance & legal sign-off

Get board-level approval for budgets and a delegated migration authority. Update custody agreements, legal policies, and regulatory filings to reflect quantum readiness plans.
Monitoring & continuous testing

Maintain continuous monitoring for breakthroughs in quantum hardware and cryptanalysis, and keep PQC implementations updated as standards evolve.

Fast, mid and slow scenarios

Fast (≈2 years)

A rapid, unexpected CRQC breakthrough triggers an accelerated migration. Response must include immediate activation of sweep procedures, emergency soft-fork coordination, and emergency disclosure to stakeholders. This scenario demands prior testing: without rehearsed playbooks, rushed migrations risk creating fresh vulnerabilities.
Mid (2–5 years)

Steady progress in quantum hardware compresses decision cycles. Institutions accelerate pilots and roll out PQC-compatible services in waves. Insurance markets and custodians refine offerings and service levels.
Slow (5–10 years)

Gradual hardware improvements allow a measured migration. This is the least disruptive option provided organizations use the time to inventory, pilot, and coordinate a thoughtful soft-fork rollout.

Legal, insurance and market implications

Legal exposure is real: if a large custodian fails to migrate or coordinate properly and a quantum-enabled theft occurs, litigation and regulatory scrutiny will follow. Insurance contracts may exclude novel attack vectors unless specifically amended. Market-wise, the mere existence of a credible risk compresses valuation models for long-term holders; that said, markets so far treat this as a long-dated factor rather than a trigger for panic. Liquidity remains active in many crypto areas while institutions tighten custody policies.

Practical next steps & checklist for boards and CTOs

Board-level ask: Require a one-page quantum readiness brief within 60 days covering inventory, planned pilots, and budget estimate.
CTO/Custody lead: Deliver the inventory of legacy-script addresses and a prioritized migration timetable within 90 days.
Risk & legal: Confirm insurance coverage for quantum scenarios and update custody agreements to include PQC migration obligations.
Procurement: Add PQC roadmap requirements into vendor contracts and SLAs.
Operations: Run at least one PQC pilot sweep for a non-critical wallet in the next 6–12 months.

Market context

Price technicians have noticed consolidation patterns around recent highs, but market action is a separate, short-term signal. The strategic point is that quantum risk shapes long-term custody and disclosure practices more than daily price moves. Institutions that treat PQC as a planning item will be better positioned whether quantum arrives quickly or slowly.