Should quantum computers become capable of breaking Bitcoin’s encryption in the future, approximately 1 million BTC attributed to Satoshi Nakamoto, the creator of the Bitcoin network, could become vulnerable to theft.
At today’s price of around $67,600 per bitcoin, that reserve alone would be worth approximately $67.6 billion.
But Satoshi’s coins are only part of the story.
Estimates spread among analysts suggest that around 6.98 million bitcoins could be vulnerable to a sufficiently advanced quantum attack, Ki Young Ju, founder of CryptoQuant, wrote recently on X. At current prices, the total amount of coins currently exposed represents around $440 billion.
The question that is becoming increasingly popular both inside and outside bitcoin circles is simple and, at times, quite controversial
Because some coins are exposed
Table of Contents
Vulnerability is not uniform. In the early years of Bitcoin, pay-to-public-key (P2PK) transactions incorporated public keys directly on-chain. Modern addresses usually only reveal a hash of the key until coins are spent, but once a public key is exposed through early mining or address reuse, that exposure is permanent. In a sufficiently advanced quantum scenario, such keys could, in theory, be reversed.
Neutrality vs. intervention
For some, freezing those coins would compromise bitcoin’s fundamental neutrality.
“Bitcoin’s structure treats all UTXOs equally,” said Nima Beni, founder of Bitlease. “It does not distinguish based on wallet age, identity or a perceived future threat. This neutrality underlies the protocol’s credibility.”
Creating exceptions, even for security reasons, alters that architecture, he said. Once the authority exists to freeze coins for protection purposes, it also exists for other justifications.
Georgii Verbitskii, founder of crypto investor app TYMIO, raised a relevant issue: the network has no reliable way to determine which coins are lost and which are simply inactive.
“Distinguishing between truly lost coins and merely dormant coins is virtually impossible,” Verbitskii said. “From a protocol perspective, there is no reliable way to make this distinction.”
For this field, the solution lies in updating cryptography and enabling voluntary migration to quantum computer-resistant signatures, rather than rewriting ownership conditions at the protocol level.
Let the mathematics decide
Others argue that an intervention would violate the fundamental principle of Bitcoin: private keys control the coins.
Paolo Ardoino, CEO of Tether, suggested that allowing old coins to return to circulation, even through quantum innovations, might be preferable to changing consensus rules.
Any bitcoin in lost wallets, including Satoshi’s (if he were not alive), will be hacked and put back into circulation,” he continued. “Any inflationary effect resulting from the return of the lost coins into circulation would be temporary, the reasoning goes, and the market would absorb it eventually.
From this perspective, “code is law”: if cryptography evolves, coins move.
Roya Mahboob, CEO and founder of Digital Citizen Fund, has taken a similarly rigid stance. “No, freezing Satoshi-era addresses would be a violation of immutability and property rights,” he told CoinDesk. “Coins from 2009 are also protected by the same rules as coins mined today.”
If quantum systems were to eventually crack the exposed keys, he added, “whoever solves them first should claim the coins.”
However, Mahboob said he expects updates driven by ongoing research among Bitcoin Core developers to strengthen the protocol before any serious threat arises.
The case for burning
Jameson Lopp said that allowing quantum attackers to wipe out vulnerable coins would amount to a massive redistribution of wealth in favor of whoever gets access to advanced quantum hardware first.
In his essay Against Bitcoin Quantum Recovery, Lopp rejects the term “confiscation” when describing a defensive soft fork. “I don’t think ‘confiscation’ is the most accurate term to use,” Lopp wrote. “Rather, what we are really talking about would be better described as ‘burning’ rather than putting funds out of anyone’s reach.”
Such a move would likely require a soft fork, making vulnerable outputs unspendable unless they are migrated to upgraded quantum-resistant addresses before a deadline — a change that would require broad social consensus.
Enabling quantum recovery, he adds, would reward technological supremacy rather than productive participation in the network. “Quantum miners trade nothing,” Lopp wrote. “They are vampires who feed on the system.”
How imminent is the threat?
While the philosophical debate intensifies, the technical timing remains contested.
Zeynep Koruturk, managing partner at Firgun Ventures, said the quantum community was “stunned” when recent research suggested that fewer physical qubits than previously assumed may be needed to crack widely used encryption systems like RSA-2048.
“If this can be demonstrated in the laboratory and corroborated, the timeline for cracking RSA-2048 could, in theory, be reduced to two or three years,” he said, noting that advances in large-scale fault-tolerant systems will also apply to elliptic curve cryptography.
Others urge caution.
Aerie Trouw, co-founder and CTO of XYO, believes that “we are still far enough away that there is no practical reason to panic,”
Frederic Fosco, co-founder of OP_NET, was more direct. Even if such a machine emerges, “you update the encryption. That’s it. It’s not a philosophical dilemma: it’s an engineering problem with a known solution.”
Ultimately, the question is about governance, timing, and philosophy — and whether the Bitcoin community can reach a consensus before quantum computing becomes a real, concrete threat.
Freezing vulnerable coins would call into question Bitcoin’s claim of immutability. Allowing them to be eliminated would call into question his commitment to equity.
