TL;DR
- One‑third of Bitcoin supply—~7 million BTC—vulnerable to future quantum attack.
- Google research estimates quantum computer could crack exposed keys in nine minutes by 2029.
- Legacy P2PK and some Taproot outputs permanently reveal public keys on‑chain.
Google Quantum AI published a white paper on March 30, 2026 that mapped for the first time the actual scale of Bitcoin’s quantum vulnerability. The document exposes a problem nobody has solved in fifteen years: approximately 6.7 million Bitcoin remain in addresses that a sufficiently powerful quantum computer can drain without the owner executing any transaction whatsoever. Those 6.7 million BTC represent the most valuable target in the history of financial crime. Currently trading around $280 billion in market value. And no clear plan exists to protect them.
Google’s research identifies 100,000 Bitcoin addresses exposed to so-called “at-rest” attacks—a technical term meaning: a quantum computer can derive your private key simply by observing your public key without you ever moving coins. In Bitcoin, when an address remains dormant and never executes a transaction, its public key remains permanently visible on the blockchain. That is a design flaw nobody anticipated in 2009 when Satoshi wrote the original code. But it is the flaw still existing today, fifteen years later.
The most vulnerable coins are those locked in Pay-to-Public-Key scripts from Bitcoin’s oldest era, the Satoshi era of 2009 and 2010. Those scripts store the public key directly on the blockchain. An attacker with a quantum computer equipped with Shor’s Algorithm can take that visible public key and derive the corresponding private key in minutes. Then the attacker drains the address. There is no defense. No second factor. No way to stop it.
Around address rank 6,000 in the ranking of addresses by age, a concentration emerges of 50 BTC addresses each—early mining rewards—many of which have never moved since Bitcoin’s earliest years. Post-quantum cryptography cannot defend dormant addresses.
Unlike active wallets that can migrate to post-quantum cryptography, dormant addresses freeze in time. They cannot upgrade. They cannot execute transactions that move them to safer scripts. They represent a fixed target, permanently visible, that grows more dangerous as quantum hardware advances. Google estimates that approximately 1.7 million BTC sit specifically in P2PK scripts. When you factor address reuse, the total quantum-vulnerable supply potentially reaches 6.9 million BTC.
Google’s white paper articulates an unprecedented question that the Bitcoin community and regulators will soon face: what happens to those coins when a quantum computer can simply take them? No easy answer exists. Options under discussion range from protocol-level destruction of coins—a Bitcoin fork that erases those addresses—to legal frameworks for regulated recovery under a concept Google calls “digital salvage.”
Protocol-level destruction requires consensus from the Bitcoin network. That means convincing miners, developers, and nodes running the network to accept permanent loss of 6.7 million BTC. It is politically impossible. Miners would not vote to destroy value. Developers cannot force it. The network is too decentralized.
Regulated recovery under “digital salvage” introduces a different problem: it requires governments, courts, and regulatory agencies to defend ownership of coins nobody has touched in a decade. How does someone prove they own Bitcoin that remains dormant? Who holds authority to decide which coins qualify for salvage and which do not? Matt Hougan, Chief Investment Officer at Bitwise, pointed out that “progress on quantum from Bitcoin Core developers is important, because parts of the Bitcoin community—justified or not—worry about quantum and want to see it taken seriously and addressed.”
Quantum computers capable of executing Shor’s Algorithm to derive private keys remain theoretical, but advances in quantum cryptography move fast. The next decade will determine whether Bitcoin faces a $280 billion theft or whether the community finds a solution. But today, six years after the problem became mathematically obvious, Bitcoin has no answer. Only a problem that grows more dangerous each year as quantum hardware approaches reality.
