If someone builds a giant quantum computer, does Satoshi's many Bitcoin wallets instantly belong to them? The phrase "Q-day" has become shorthand for the moment when a quantum computer can break today's public-key cryptography, turning ancient coins and modern ledgers into low-hanging fruit for whoever turns the key first.
Commentators on social media regularly discuss scenarios where someone starts using Shor's algorithm, drains those caches, and then either instantly crashes the market, or proves the coin's enigmatic founder is still alive, causing other unforeseeable consequences.
The source of the drama here is obvious: Satoshi's stash is often estimated at around 1 million BTC which means that it's worth somewhere in the ball park of $100 billion today, and it's all sitting in untouched early-era addresses. And as the world quickly approaches Q-day, the vulnerability of that stockpile is a big risk that's tough to mitigate.
If the chain doesn't migrate to quantum security (a burdensome and complicated process which might ultimately require actually burning old coins like the one in Satoshi's stash anyway), the theft of his coins is guaranteed on a long enough timescale.
At the same time, the risk of quantum computers being able to steal Satoshi's motherlode within the next five years or so are quite substantive, and over the 10-year timespan, the pressing risk will start to become increasingly imminent.
But before you let this story decide the fate of your allocation to Bitcoin, it's worth separating the nightmare fuel from the actual cryptographic and governance realities.
What Q-day really means for Bitcoin's cryptography
Let's take a beat to understand why Bitcoin is vulnerable in the first place:
The general idea is that modern public-key schemes like RSA and elliptic-curve cryptography (ECC) rely on math problems that are forbiddingly hard for classical computers to solve. Those same problems are quite tractable for a sufficiently large quantum computer running Shor's algorithm. Such a machine could, in principle, make standard encryption obsolete by deriving private keys from public keys fast enough to render current protocols unsafe.
How Shor’s Algorithm Works
Many now argue there is a nontrivial chance that Q-day arrives before 2035, which would threaten everything from banking networks to Bitcoin wallets. Governments are already telling critical infrastructure operators to start migrating to post-quantum cryptography (PQC) and finish that transition by the mid-2030s, treating the threat as a long lead-time inevitability rather than something hypothetical.
But before mapping the risks to Satoshi's coins specifically, we need a generalizable threat model.
Quantum computers use qubits rather than bits, which lets them explore many computational paths in superposition, and exploit interference patterns to zero in on the set of useful answers. That's what makes Shor's algorithm a theoretical threat; it can factor large numbers or solve discrete log problems in polynomial time, cutting through the hardness assumptions behind standard public-key cryptography.
For years, Scott Aaronson was a reliable voice against hype, pointing out that talk of breaking 2048-bit cryptography in 3 to 5 years is unwarranted given current error rates and qubit counts. That skepticism has not vanished, but the tone has recently shifted to be more alarming, and with good reason.
In a November 2025 blog post, Aaronson called it a "live possibility" that a fault-tolerant quantum computer running Shor's algorithm arrives before the next U.S. election, which is a sharp update from such an event being "decades away" to "you at least have to take this seriously."
The hardware backdrop is catching up quickly too. Saudi Aramco just installed a 200-qubit system from Pasqal and relayed Aaronson's and Vitalik Buterin's warnings about the pace of progress and the stress it puts on elliptic-curve cryptography.
At the same time, conservative voices in security and engineering circles keep emphasizing that today's machines are noisy, shallow, and nowhere near the thousands of high-fidelity logical qubits needed to break strong keys at scale. For now, it's undeniable that they're right -- the problem is that everyone including them knows they won't be right forever, and perhaps not even for much longer.
This is why many serious analyses focus less on a calendar date and more on migration paths. Today, around 1.72 million BTC in very early address types and another 4.49 million BTC in old or reused addresses are vulnerable to quantum attacks. A separate synthesis puts the total around 6.5 million BTC, roughly one third of the outstanding supply, with Satoshi's legendary 1.1 million BTC in the direct blast radius.
Those are big numbers, but they also point to a narrower class of outputs, which is where Satoshi's stash lives.
How exposed are Satoshi's coins specifically?
The technical nuance that decides whether quantum computers can steal Satoshi's coins is that not all UTXOs are equally visible to Shor's algorithm. Early coins, including Satoshi's, mostly sit in "pay-to-public-key" (P2PK) outputs that publish the full public key on-chain, whereas later formats hash the public key and only reveal it once you spend, thereby making them substantially better off, if not actually fully secure.
All coins in P2PK and reused P2PKH addresses are quantum-vulnerable, while one-time P2PKH outputs with never-revealed keys are safe. Therefore, avoiding address reuse and sticking to hash-obfuscated outputs is already a good practice even in a pre-quantum world.
Nonetheless, per information published by the Quantum Insider, about 6.65 million BTC now sit in wallets with permanently exposed public keys, including roughly 1.9 million BTC in early P2PK and 4 million BTC in reused addresses. Satoshi Nakamoto's BTC are likely inside that 6.65 million, sitting in early blocks where the pubkeys are baked into the script.
To make the landscape more concrete, consider this simplified map of the situation.
Coin category | On-chain key exposure | Quantum risk profile | Mitigation path |
|---|---|---|---|
Satoshi-era P2PK outputs | Public keys are fully visible in early scripts | Prime target for long-range attacks on dormant wallets once Shor-capable machines exist | Protocol-level changes or social consensus would be needed to block or redirect spends |
Reused legacy addresses | Old and reused P2PKH and similar outputs leak their public keys when first spent | Vulnerable, but agents who still control keys could move funds to newer address types | User action and wallet upgrades can migrate these coins to safer outputs |
Modern, never-spent P2PKH and SegWit outputs | Keys remain hashed until first spend, and best practice discourages reuse | Safe against long-range attacks until the moment of spend; only short-range "race" attacks matter | Wallets can eventually adopt quantum-safe signatures before spending |
Even for Satoshi's stash, you'd need a very specific capability, which is to say a quantum computer that can repeatedly run Shor's algorithm against 256-bit elliptic-curve keys fast enough to walk the set of exposed pubkeys before the network reacts. That's a far steeper requirement than what can be accomplished by the machines we see on display in press releases. Furthermore, it's rational to assume that nation-state adversaries will prioritize intelligence, military, and financial-system targets long before they run a PR stunt on cracking Bitcoin.
Splash some cold water on the hype
One reason this topic keeps flaring is that it is easy to spin a lurid and fearful story that gets a lot of attention. Social feeds then compress the various nuances into "Bitcoin doomed by 2028," which is not what any of the best-informed people actually say.
For example, Nick Carter has become one of the clearer voices trying to bridge the gap between technical realism and investor fear. He recently argued that "quantum computing is the biggest risk to Bitcoin" and also that it's a uniquely intractable one because of Bitcoin's conservative governance as well as the difficulty of altering its signature scheme. Carter now sees a cryptographically relevant quantum computer as plausible by around 2035 given the pace of investment and hardware progress, and urges the community to treat upgrades as urgent.
Carter also flips the narrative around lost coins. His view is that Bitcoin's security model functions as a vast "bug bounty" worth hundreds of billions, incentivizing researchers and attackers alike to probe its limits. In that frame, Satoshi's hoard is less a mystical relic of a primordial era, and more the most visible target in a global contest between cryptographers and adversaries.
If someone can actually steal those coins with a quantum machine, we will have learned something profound about both Bitcoin and the broader cryptographic ecosystem, but we should also expect that the lesson will extract a brutal tuition fee from pretty much everyone in crypto at once if it happens.
Investors scrolling social media see both ends of this spectrum. Reddit and X threads mix genuinely insightful discussion of long-range versus short-range attacks with memes about "quantum bandits" and breathless claims that Bitcoin instantly goes to zero the moment some lab crosses an internal threshold. The uncomfortable truth is that some of the fear is justified, but it is often attached to the wrong things.
Here are a few signals that legitimately deserve your attention:
Serious cryptographers like Scott Aaronson now call a Shor-capable machine as being possible before 2028.
Security agencies were previously advising critical operators to complete post-quantum migration by around 2035, but more recently have started to push for a 2028 migration deadline.
Bitcoin's own governance history suggests upgrades take years of debate and coordination.
Taken together, those facts justify treating quantum as a serious, slow-forming risk. What they do not justify is the reflexive claim that Bitcoin is unfixable or that Satoshi's coins are guaranteed to be stolen the moment someone in a bunker hits "run."
Mitigations, governance, and an investor playbook for quantum risk
So, will quantum computers steal Satoshi's coins? The honest answer right now is that it is a credible but not yet imminent scenario, and one that depends at least as much on human governance as on hardware timelines.
Quantum machines powerful enough to run Shor's algorithm on Bitcoin keys will not arrive in a vacuum; they will arrive in a world where governments, standards bodies, and open-source communities have been wrestling with this problem for years.
At the cryptography level, the good news is that we already have standardized post-quantum algorithms like:
ML-KEM
ML-DSA
SLH-DSA
These are designed to resist both classical and quantum adversaries and can be implemented in software and run on classical computers, hardware wallets, and protocols.
The harder part will be retrofitting those tools into Bitcoin's social and technical fabric. Upgrading signature schemes for new outputs via a soft fork is conceptually straightforward, but deciding what to do about legacy UTXOs is pure politics.
As an investor, your edge comes from treating the uncertainty here as one risk factor among many, not as the entire story that determines your course of action with this all-important asset.
To keep up with the latest in blockchain technology and quantum computing, join us on X and subscribe to our newsletter.
