Quantum risk to Bitcoin is not uniform. The most straightforward targets are not active users or freshly generated addresses but long‑dormant wallets whose public keys are already visible on the blockchain. Many of these holdings date back to Bitcoin’s earliest days and include large, unmoved block rewards. That concentration makes them the likeliest practical entry points for any early quantum‑driven attacks.
Two cryptographic primitives, two different threat profiles
Bitcoin relies on SHA‑256 hashes for mining and block integrity and on elliptic‑curve public‑key signatures (ECDSA/Schnorr) to authorize spending. Quantum computers affect these primitives in different ways. Grover’s algorithm reduces the effective strength of hash functions but does not instantly break them at realistic scales. Shor’s algorithm, however, can derive a private key from a known public key, which directly undermines signature schemes.
The practical difference comes down to whether a coin’s public key is exposed. If a public key is visible on‑chain, a sufficiently capable quantum device could, in principle, recover the private key and spend the funds. That risk is concentrated where public keys already exist—primarily in long‑unmoved outputs—rather than evenly spread across all Bitcoin addresses.
On‑spend vs at‑rest attacks
There are two distinct attack windows to consider:
– On‑spend attacks: These occur while a transaction is being broadcast. The public key is revealed at the moment of spending, and an attacker would need to compute the private key and broadcast a competing spend within the confirmation window—typically around one block (~10 minutes). This requires enormous speed and low latency, making such attacks much harder in practice.
– At‑rest attacks: These target outputs whose public keys are already recorded on the blockchain. Attackers have no race against confirmations and can work for days, weeks or indefinitely to derive a private key. Dormant addresses face this long time horizon, which lowers the operational difficulty for attackers to the limits of available quantum compute.
Because at‑rest attacks remove the time pressure, dormant wallets are inherently more attractive targets once enough quantum capability exists.
Why dormant wallets are especially vulnerable
Dormant addresses combine several risk factors:
– No defender can move the funds: Active holders can migrate coins to fresh, safer addresses or adopt quantum‑resistant solutions. Dormant wallets—owned by inactive, unreachable, or lost key holders—cannot take defensive action.
– Long exposure windows: With a public key already revealed, attackers can run long computations offline without racing for block confirmations.
– Concentrated value: Early miners and long‑held wallets often contain large balances. That creates high‑value, low‑resistance targets compared with widely distributed, actively managed holdings.
Put together, these traits make legacy coins a disproportionate share of the practical quantum attack surface.
Which address types matter most
Not all outputs are equally exposed. The most at‑risk categories include:
– Early P2PK outputs: Many early transactions revealed public keys directly, leaving those funds exposed indefinitely.
– Reused addresses: Any address that has been spent from will have its public key published. If a balance remains or is returned to such an address, those coins are vulnerable.
– Certain spend patterns in modern scripts: Newer formats such as Taproot reveal public keys when spent, and address reuse or incorrect migration patterns can still expose funds.
In short, theoretical protocol protections can be defeated by operational practices like address reuse or failure to migrate.
Scale and structural imbalance
Estimates show that a nontrivial portion of BTC—often concentrated in a relatively small number of wallets—has public keys exposed and hasn’t moved for many years. That creates a structural imbalance: a modest set of addresses contains a large share of the observable quantum risk. Rather than the entire supply being equally vulnerable, the threat is focused where the highest‑value targets coincide with the weakest defenses.
Governance and policy complications
If attackers begin to exploit exposed dormant wallets, the community will face thorny governance questions. Possible responses include:
– Accepting attacker‑produced spends as valid, preserving strict immutability but rewarding the attacker.
– Attempting protocol changes to protect or freeze compromised outputs, which would raise questions about who decides and whether exceptions undermine the system’s neutrality.
– Defining rules for clearly abandoned or unreachable funds, a politically charged move involving property and edge cases.
Dormant wallets present difficult trade‑offs because their owners cannot opt into upgrades or migrations, yet their continued exposure affects the entire ecosystem.
Why this is not an imminent collapse
There is no public evidence that quantum machines capable of breaking Bitcoin signatures at scale exist today. Building such systems will likely take years or decades of engineering progress. Further, the threat is likely to manifest gradually: active users can adopt mitigations, and the community has time to research and test migration strategies and protocol options before widescale exploitation becomes possible.
Practical steps to reduce exposure
Actions today should aim to lower public‑key exposure and prepare transition paths:
– Avoid address reuse and limit when public keys are revealed in transactions.
– Encourage best practices for active users to migrate to safer output types and, when practical, to post‑quantum alternatives.
– Research protocol‑level migration and hybrid signature schemes that preserve decentralization and efficiency while providing long‑term resilience.
– Develop operational plans for dealing with large dormant balances, including community discussions about governance options if exploitation occurs.
These steps help mostly those who can take action; the unresolved problem remains how to treat immovable, legacy funds that cannot be instructed to migrate.
Conclusion
Quantum computing will not necessarily cause an instantaneous, network‑wide failure of Bitcoin. Instead, the earliest and most practical vulnerabilities are likely to be concentrated in dormant addresses whose public keys are already on‑chain. The community’s task is to reduce present exposure where possible, accelerate research into viable migrations, and prepare policy responses for the harder cases of inaccessible legacy holdings.
This article is informational and follows Cointelegraph’s editorial standards. It is not investment advice. Readers should conduct their own research and understand that forward‑looking statements about future technology and risks are uncertain.