In the event that quantum computers one day become capable of breaking Bitcoin’s cryptography, approximately 1 million BTC attributed to Satoshi Nakamoto, the creator of the Bitcoin network, could become vulnerable to theft.
At the current price of around $67,600 per bitcoin, this reserve alone would be worth around $67.6 billion.
But Satoshi’s plays are only part of the story.
Estimates circulating among analysts suggest that around 6.98 million bitcoins could be vulnerable in a sufficiently advanced quantum attack, Ki Young Ju, the founder of CryptoQuant, recently wrote on X. At current prices, the total amount of coins currently exposed is around $440 billion.
The question that is increasingly common in and outside Bitcoin circles is simple and, at times, quite controversial.
Why are some pieces on display?
Vulnerability is not uniform. In the early years of Bitcoin, public key payment (P2PK) transactions integrated public keys directly on-chain. Modern addresses typically only reveal a hash of the key until the coins are spent, but once a public key is exposed during early mining or address reuse, that exposure is permanent. In a sufficiently advanced quantum scenario, these keys could, in theory, be reversed.
Neutrality vs intervention
For some, freezing these coins would harm the fundamental neutrality of bitcoin.
“The structure of Bitcoin treats all UTXOs the same,” said Nima Beni, founder of Bitlease. “It makes no distinction based on wallet age, identity, or perceived future threat. This neutrality is fundamental to the credibility of the protocol.”
Creating exceptions, even for security reasons, changes that architecture, he said. Once there is authority to freeze coins for protective purposes, it also exists for other justifications.
Georgii Verbitskii, founder of crypto investor app TYMIO, raised a relevant concern: the network has no reliable way to determine which coins are lost and which are simply dormant.
“It’s virtually impossible to distinguish between coins that are actually lost and coins that are simply asleep,” Verbitskii said. “From a protocol standpoint, there is no reliable way to tell the difference.”
For this camp, the solution lies in upgrading cryptography and allowing voluntary migration to quantum-resistant signatures, rather than rewriting ownership requirements at the protocol layer.
Let mathematics decide
Others argue that intervention would violate Bitcoin’s fundamental principle: private keys control coins.
Paolo Ardoino, CEO of Tether, suggested that it might be better to allow old coins to re-enter circulation, even through quantum advances, rather than changing the rules of consensus.
“Any bitcoin in lost wallets, including Satoshi (if not alive), will be hacked and put back into circulation,” he continued. “Any inflationary effect due to the return of lost coins to circulation would be temporary, it is believed, and the market would eventually absorb it.”
According to this vision, “code is law”: if cryptography evolves, coins move.
Roya Mahboob, CEO and founder of the Digital Citizen Fund, took a similar hardline stance. “No, freezing old Satoshi-era addresses would violate immutability and property rights,” she told CoinDesk. “Even coins from 2009 are protected by the same rules as coins mined today.”
If quantum systems eventually decipher the exposed keys, she added, “whoever solves them first should claim the coins.”
However, Mahboob said she expects upgrades resulting from ongoing research among Bitcoin Core developers to strengthen the protocol before a serious threat materializes.
The arguments in favor of burning
Jameson Lopp said allowing quantum attackers to sweep vulnerable coins would amount to a massive redistribution of wealth to whoever gets first access to advanced quantum hardware.
In his essay Against Allowing Quantum Recovery of Bitcoin, Lopp rejects the term “confiscation” when describing a defensive soft fork. “I don’t think ‘confiscation’ is the most accurate term to use,” Lopp wrote. “It would rather be better to describe what we are actually discussing as ‘burning’ rather than placing the funds beyond everyone’s reach. »
Such a move would likely require a soft fork, rendering vulnerable products unusable unless they are migrated to enhanced quantum-resistant addresses by a deadline – a change that would require broad social consensus.
Allowing quantum recovery, he adds, would reward technological supremacy rather than productive participation in the network. “Quantum miners don’t trade anything,” Lopp wrote. “They are vampires feeding on the system.”
How close is the threat?
While the philosophical debate intensifies, the technical timeline remains contested.
Zeynep Koruturk, managing partner at Firgun Ventures, said the quantum community was “stunned” when recent research suggested that fewer physical qubits than previously thought might be needed to break widely used encryption systems like RSA-2048.
“If this can be proven in the lab and corroborated, the time frame for decrypting RSA-2048 could, in theory, be reduced to two or three years,” she said, noting that advances in large-scale fault-tolerant systems could eventually apply to elliptic curve cryptography as well.
Others urge caution.
Aerie Trouw, co-founder and CTO of XYO, believes that “we are still far enough away that there is no practical reason to panic.”
Frédéric Fosco, co-founder of OP_NET, was more direct. Even if such a machine emerged, “you improve cryptography. That’s it. It’s not a philosophical dilemma: it’s an engineering problem with a known solution.”
Ultimately, the question is about governance, timing and philosophy – and whether the Bitcoin community can reach consensus before quantum computing becomes a real and present threat.
Freezing vulnerable coins would call into question Bitcoin’s claim of immutability. Allowing them to be swept aside would undermine its commitment to fairness.
