Why Satoshi’s Wallet is a Prime Quantum Target
Satoshi’s 1.1 million BTC wallet is increasingly seen as a potential quantum vulnerability as researchers assess how growing computing power could impact early Bitcoin addresses.
Satoshi Nakamoto’s estimated worth of 1.1 million Bitcoin (BTC) is often described as the ultimate “lost treasure of the cryptocurrency world.” It sits on the blockchain like a dormant volcano, a digital ghost ship that has not seen an onchain transaction since its inception. This enormous treasure, worth an estimated $67 billion to $124 billion at current market rates, has become the stuff of legend.
But a growing number of cryptologists and physicists also see it as a multi-billion-dollar security threat. The threat is not a hacker, server compromise or password loss; it is the emergence of an entirely novel form of computation: quantum computing.
As quantum machines move from theoretical research laboratories to powerful working prototypes, they pose a potential threat to existing cryptographic systems. This includes encryption that protects Satoshi coins, the wider Bitcoin network, and parts of the global financial infrastructure.
This isn’t a distant “what if.” The race to build both a quantum computer and quantum-resistant defense is one of the most crucial and best-funded technological efforts of our time. Here’s what you need to know.
Why Satoshi’s Early Wallets Are Simple Quantum Targets
Most up-to-date Bitcoin wallets hide the public key until a transaction occurs. Legacy pay-to-public-key (P2PK) Satoshi addresses do not do this, and their public keys are permanently apparent on-chain.
To understand the threat, it is crucial to remember that not all Bitcoin addresses are created equal. The vulnerability lies in the type of address used by Satoshi in 2009 and 2010.
Most bitcoins are currently stored in pay-to-public-key-hash (P2PKH) addresses that start with “1” or newer SegWit addresses that start with “bc1”. For these types of addresses, the blockchain does not store the full public key after receiving the coins; it only stores the hash of the public key, and the actual public key is only revealed when the coins are spent.
Think of it like a bank’s drop box. The address hash is the mail slot; anyone can see it and put in money. The public key is a closed metal door behind a slot. No one can see the lock or its mechanism. The public key (“lock”) is only revealed to the network at the one time you choose to spend your coins, at which point your private key will “unlock” it.
However, Satoshi’s coins are stored at much older P2PK addresses. There is no abbreviation in this older format. The public key itself, or the lock in our analogy, is visibly and permanently recorded on the blockchain for anyone to see.
For a classic computer it does not matter. It is still virtually impossible to recreate the public key to find the corresponding private key. But in the case of a quantum computer, the revealed public key is a detailed blueprint. This is an open invitation to come and pick a lock.
How Shor’s algorithm allows quantum machines to crack Bitcoin
Bitcoin’s security, the Elliptic Curve Digital Signature Algorithm (ECDSA), relies on mathematics that is computationally infeasible for classical computers to reverse. Shor’s algorithm, if run on a sufficiently powerful quantum computer, aims to break this math.
Bitcoin’s security model is based on ECDSA. Its strength comes from a one-way mathematical assumption. It’s uncomplicated to multiply the private key by a point on the curve to get the public key, but it’s essentially impossible to take that public key and reverse the process to find the private key. This is known as the elliptic curve discrete logarithm problem.
A classical computer has no known way to “split” this operation. The only option is to brute force, guess every possible key. The number of possible keys is 2,256, a number so enormous that it exceeds the number of atoms in the known universe. This is why Bitcoin is unthreatening from all classical supercomputers on Earth, now and in the future.
A quantum computer wouldn’t guess that. That would calculate.
The tool for this is Shor’s algorithm, a theoretical process developed in 1994. On a sufficiently powerful quantum computer, the algorithm can operate quantum superposition to find the mathematical patterns, particularly the period, hidden in the elliptic curve problem. It can take a leaked public key and, within hours or days, reverse engineer it to find the single private key that created it.
The attacker will not have to break into the server. They could simply download the leaked P2PK public keys from the blockchain, feed them into the quantum machine, and wait for the private keys to be returned. They could then sign the transaction and transfer 1.1 million of Satoshi’s coins.
Did you know? It is estimated that breaking Bitcoin encryption would require a machine equipped with approx 2330 stable logical qubits. Because current qubits are clamorous and error-prone, experts believe that a fault-tolerant system would need to combine more than 1 million physical qubits to create 2,330 stable ones.
How close are we to Q Day?
Companies like Rigetti and Quantinuum are racing to build a cryptographically suitable quantum computer, with the timeline shrinking from decades to years.
“Q-Day” is the hypothetical moment when a quantum computer becomes capable of breaking current encryption. For years, this was considered a “10-20 year” problem, but now that timeline is rapidly shrinking.
The reason we need 1 million physical qubits to get 2,330 logical qubits is quantum error correction. Qubits are extremely fragile. They are clamorous and sensitive to even tiny vibrations, temperature changes or radiation, which can cause them to decohere and lose their quantum state, leading to errors in calculations.
To perform computations as intricate as cracking ECDSA, you need stable logical qubits. To create a single logical qubit, it may be necessary to combine hundreds or even thousands of physical qubits into error-correcting code. This is the load on the system associated with maintaining stability.
We are in a rapidly accelerating quantum race.
-
Companies like Quantinuum, Rigetti and IonQ, as well as tech giants like Google and IBM, are publicly pursuing aggressive quantum roadmaps.
-
For example, Rigetti remains on track to achieve a system of over 1,000 qubits by 2027.
-
This public-facing advance does not take into account secret research at the state level. The first country to reach Q-Day will theoretically hold the master key to global financial and intelligence data.
Therefore, defenses must be built and deployed before an attack becomes possible.
Why Millions of Bitcoins Are Vulnerable to Quantum Attacks
A 2025 report by the Human Rights Foundation shows that 6.51 million BTC are located in sensitive addresses, of which 1.72 million, including Satoshi’s address, are considered lost and impossible to transfer.
Satoshi’s wallet is the biggest prize, but not the only one. October 2025 report from the Human Rights Foundation analyzed the entire blockchain for quantum susceptibility.
The arrangements were strict:
-
6.51 million BTC are vulnerable to long-range quantum attacks.
-
This includes 1.72 million BTC in very early address types that are considered dormant or potentially lost, including Satoshi’s estimate of 1.1 million BTC, much of which is in P2PK addresses.
-
An additional 4.49 million BTC are vulnerable but can be secured through migration, suggesting that their owners will likely still be able to operate.
This 4.49 million BTC stash belongs to users who made a critical mistake: address reuse. They used up-to-date P2PKH addresses, but after spending funds from them (which the public key reveals) they received novel funds back to the same address. This was common practice in the early 2010s. By reusing the address, they permanently exposed their public key on-chain, turning their up-to-date wallet into a target as vulnerable as Satoshi’s.
If an enemy actor reaches Q Day first, the plain act of moving Satoshi’s coins would serve as evidence of a successful attack. It would immediately show that Bitcoin’s fundamental security has been breached, causing market-wide panic, stock panic, and an existential crisis for the entire crypto ecosystem.
Did you know? A common tactic discussed is “collect now, decode later.” Malicious criminals are already recording encrypted data, such as internet traffic and blockchain public keys, with the intention of decrypting it in a few years, once they have a quantum computer.
How Bitcoin Can Move to Quantum Protection
The entire technology world is moving towards novel quantum-resistant standards. In Bitcoin’s case, this would require a major network upgrade or fork to a novel algorithm.
The crypto community isn’t waiting for this to happen. The solution is post-quantum cryptography (PQC), a novel generation of encryption algorithms built on different and more intricate mathematical problems that are considered unthreatening against both classical and quantum computers.
Instead of elliptic curves, many PQC algorithms rely on structures such as network-based cryptography. The U.S. National Institute of Standards and Technology is leading this effort.
-
In August 2024, the National Institute of Standards and Technology published the first finalized PQC standards.
-
Central to this discussion is ML-DSA (module-based digital signature algorithm), which is part of the CRYSTALS-Dilithium standard.
-
The wider tech world is already adopting this. At the end of 2025, OpenSSH 10.0 had made PQC is the default algorithm, and Cloudflare has reported that most of its internet traffic is now protected by PQC.
In Bitcoin’s case, the solution would be a network-wide software update, almost certainly implemented in the form of a gentle fork. This upgrade would introduce novel quantum-resistant address types, such as the proposed “P2PQC” addresses. It wouldn’t force anyone to move. Instead, users could voluntarily send their funds from older, sensitive addresses such as P2PKH or SegWit to novel, secure ones. This approach would be similar to the way the SegWit update was rolled out.
