People like to say Bitcoin can’t be confiscated, can’t be inflated, can’t be stopped. But what if it can be unlocked by someone who never owned it?
That's the question explored in Nic Carter’s Trillion-Dollar Salvage. It's fiction (for now) but it needles a real nerve, which is that a single cryptographic weakness can turn dormant coins into a prize. The weakness itself is exploitable by a sufficiently powerful quantum computer that can crack Bitcoin's cryptography. The prize, Satoshi Nakamoto's gargantuan hoard of Bitcoin worth approximately $100 billion, is the single largest pile of treasure to ever exist in human history thus far.
This is worth thinking through today because the post-quantum computing migration conversation is (finally) turning operational. The next step is to understand why the prize is going to bend behavior long before the tech to implement the attack actually exists.
This bounty is too lucrative to leave on the table
When a single jackpot like Satoshi's stash is sitting in plain view for everyone to see, the game shifts from “can we take it” to “who will move the fastest to take it”.
On that note, Bitcoin transaction authorization relies on ECDSA over secp256k1, and the quantum worry is that Shor-style attacks can target discrete logs on elliptic curves if a sufficiently capable fault-tolerant machine shows up. A conservative resource estimate for elliptic-curve discrete logs is laid out in Roetteler et al., and it implies a large gulf between impressive lab demos and anyone ever being able to steal coins on demand.
That gulf, however, is closing.
Google’s recent error-correction results are a tangible step towards meaningful quantities of logical qubits, yet they're still very far from an attack-ready stack, and even if they had it, it isn't in their line of business to implement it. Similarly, IBM’s roadmap frames a path to large-scale fault tolerance, including a target system with 200 logical qubits. That's marking meaningful progress compared to yesteryear, but it's not the same thing as forging signatures at scale, and again, hacking Bitcoin isn't something they'd ever want to be understood as being in their wheelhouse.
So, it's worth also pushing back on the seductive claim that governments can already do everything they want with quantum computing, because it's simply highly unlikely to be fully true even under pessimistic assumptions. The capabilities involved are simply quite difficult to build at the scale needed, even by highly-resourced actors.
Why the quantum grab is a game worth following
If the prize is big enough, the competition plays out via timing, signaling, and commitment, not to mention raw compute power and other forms of technical prowess.
One red-team framing is laid out in Project Eleven’s “Quantum Wargames”, which sketches how an adversary might behave if Q-Day becomes imminently plausible. The key idea is an attacker’s objective function, which is to extract value while delaying the moment defenders coordinate. The attacker doesn't need to serially crack and use keys; they could crack many keys and then use them all at once in an alpha strike if they wanted to inflict maximum damage on the ecosystem.
Note that defenders must realize they're under attack before coordinating an active response, but also that they can make defensive preparations according to their willingness to devote resources. The first credible theft attempt increases the odds of an emergency response that makes later theft attempts harder.
That timing dynamic creates a first-mover advantage, and, in contexts like Satoshi's stash, where no defense can credibly exist, it also heavily incentivizes attempting imperfect attacks which may not succeed initially (if they are developed). It also creates a coordination trap for everyone else. If multiple actors believe the threat is real, each has an incentive to act before disclosure forces a migration, even if they would prefer a world where nobody acts at all.
So who can chase Satoshi's hoard credibly, and what holds them back?
Who's aiming at Satoshi's pile today?
Another way of framing this question is asking who can sustain a highly capital-intensive and secretive engineering platform, where there's a known intelligence payoff for future success. You can probably see where this is going already.
On the government side, the NSA’s algorithm suite update is explicit about quantum transition pressure, as shown in CNSA 2.0. The NSA is releasing what's nominally a defensive document, but obviously it signals serious institutional acceptance of the threat model.
CISA has also emphasized PQC migration planning in this joint resource announcement, which is another marker that “harvest now, crack later” thinking is not niche anymore.
To keep the operational logic straight, this table separates attacker archetypes from the constraints that keep this from being an immediate crisis.
Actor archetype | Examples | What they plausibly have | What blocks them | What defenders can do |
|---|---|---|---|---|
State intelligence services | NSA, SCS (Russia), MSS (China) | Budget, secrecy, coercion, patience | Fault-tolerant scale, plus attribution risk | Build crypto-agility plans guided by NIST IR 8547 |
Big tech quantum labs | IBM, Google | Hardware talent and error-correction roadmaps | Reputational blowback and legal exposure | Reduce exposed-key surface with proposals like BIP 360 |
Protocol-focused startups | Lightning Labs, Chaincode Labs | Product focus and fundraising access | They depend on public trust to sell tools | Demand measurable milestones and adversarial testing |
Criminal groups | Motivation and flexible operations | They can’t build fault tolerance from scratch | Pay security professionals for active threat monitoring; make “easy targets” disappear by moving to safer script paths |
The table should make one point feel unavoidable: The attack to worry about is if a sufficiently sophisticated quantum computer exists, and that the attacker can execute an attack using it, preferably without triggering a fast migration.
That brings us back to Nic Carter’s story.
Nic Carter’s base case
Carter is explicit that his story is more a thought experiment about governance coordination with Bitcoin than it is an actual prediction.
His implied base case is that even after a quantum computing breakthrough, the response is procedural and political. Institutions push for a fork, miners and custodians pick sides, and the transition is slow, and uneven among different types of holders.
On that note, it's important to see that Bitcoin developers are not asleep at the wheel even if they're moving very slowly relative to what major holders might prefer. A hard-fork style concept to enforce migration from legacy outputs is under consideration.
The uncomfortable part is time: Even with a social consensus, migrating signature schemes across the economy of Bitcoin is a big coordination project, and attackers only need a short window of capability to create irreversible damage. As stated previously, there may not be much of an incentive for an attacker to sit quietly and wait for someone else to take the prize.
An attack on Satoshi's stash is probably not imminent. So where does that leave things? If the world stays pre-Q-Day forever, the biggest pile of treasure to ever exist will remain as some numbers on a blockchain, owned only by an absent Satoshi.
But that probably won't happen. That means the race to capture the motherlode is undeniably on.
To keep up with the latest in blockchain technology and quantum computing, join us on X and subscribe to our newsletter.
Sources
Quantum Resource Estimates for Computing Elliptic Curve Discrete Logarithms
CISA, NSA, and NIST publish new resource for migrating to post-quantum cryptography
Post-Quantum Crypto Startup Project Eleven Raises $20 million in Funding Round
NIST IR 8547 (Initial Public Draft): Transition to Post-Quantum Cryptography Standards
Bitcoin Developer Proposes Hard Fork to Protect BTC From Quantum Computing Threats
