More than one third of all Bitcoin in existence already has its public keys permanently exposed on the blockchain — meaning that when a quantum computer capable of running Shor’s algorithm finally arrives, the theft of those coins could begin quietly, weeks or months before anyone detects it. That is the core of a governance crisis that Bitcoin has no designated authority to resolve, and that a proposal published July 4 by CoinDesk’s Olivier Acuna — drawing on on-record responses from three of the industry’s most prominent voices — confirms remains as divided as ever.
Binance founder Changpeng “CZ” Zhao revived the debate on June 18 during a podcast appearance on Galaxy Brains with Galaxy Research president Alex Thorn, raising the question of whether the Bitcoin network should eventually freeze dormant addresses — including Satoshi Nakamoto’s estimated 1.1 million BTC, worth approximately $68 billion — if quantum computers ever become capable of cracking the Elliptic Curve Digital Signature Algorithm that secures Bitcoin wallets. Today’s expert responses confirm the community is nowhere near consensus, and the window to reach that consensus before quantum hardware closes the gap may be shorter than most holders realize.
What CZ Proposed, and What He Didn’t Say
Zhao’s remarks on the June 18 podcast were measured rather than prescriptive. He outlined a hypothetical sequence: after a future network-wide upgrade to quantum-resistant cryptography, holders of older addresses — including whoever controls Satoshi’s wallets — would get six to twelve months to migrate their coins to newly protected addresses. If those wallets remained dormant after the window closed, the community could then vote on whether to freeze them.
“If we don’t do anything with it, then we’re basically giving it to somebody who’s going to hack it,” Zhao said during the podcast. He was explicit that any such outcome would require either a soft fork or hard fork approved by the Bitcoin community, not any decision by Binance or a single organization. CZ later pushed back on characterizations that he would personally freeze Satoshi’s address, and noted that distinguishing Satoshi’s wallets from other early-miner addresses is technically imprecise — roughly 22,000 addresses each holding approximately 50 BTC are grouped under the Satoshi estimate.
The stakes are not merely symbolic. Satoshi’s ~1.1 million BTC are the most visible target, but the total quantum-exposed supply is substantially larger, according to the BIP-361 proposal.
Google Slashed Quantum Attack Cost 20-Fold in March
On March 30, 2026, Google Quantum AI published a 57-page whitepaper, co-authored with Justin Drake of the Ethereum Foundation and researchers from Stanford University, that fundamentally revised the resource estimate for cracking Bitcoin’s cryptography.
The previous best estimate, from Daniel Litinski’s 2023 work, required approximately 9 million physical qubits to execute Shor’s algorithm against Bitcoin’s secp256k1 elliptic curve. Google’s team found a circuit optimization that achieves the same result with fewer than 500,000 physical qubits — roughly a 20-fold reduction in what researchers call “spacetime volume.” At current error rates and under plausible superconducting architecture assumptions, the paper estimates the attack runtime at minutes, not days.
Bitcoin’s security rests on a specific mathematical problem: deriving a private key from a published public key requires solving the Elliptic Curve Discrete Logarithm Problem on secp256k1. Classical computers would need on the order of 2^128 operations — effectively impossible. Shor’s algorithm, running on a sufficiently powerful quantum computer, solves this in polynomial time. Every time a Bitcoin holder sends a transaction, they broadcast their public key to the entire network. Those public keys are permanent and irrevocable entries on the blockchain.
As of March 1, 2026, more than 34% of all Bitcoin in circulation has a public key permanently recorded on-chain, according to the BIP-361 proposal text. That figure includes coins in Pay-to-Public-Key addresses from Bitcoin’s earliest years, where public keys are exposed by design, as well as Pay-to-Public-Key-Hash and SegWit addresses where a public key was revealed at the moment of a prior spend. By comparison, Google’s most advanced quantum chip — Willow — has 105 physical qubits today. The gap between current hardware and a Bitcoin-breaking machine remains enormous. But the direction of travel is what prompted developers to act.
Drake, who joined the Google paper as a co-author, wrote that his confidence in a quantum computer recovering a Bitcoin private key by 2032 had “shot up significantly” following the paper. He estimated at least a 10% probability of that outcome. Adam Back, CEO of Blockstream, holds a more conservative view, placing the practical quantum threat 20 to 40 years out. ARK Invest’s March 2026 report classified the current moment as “Stage 0” — quantum computers exist, but none has commercially relevant capability.
The most critical detail in the Google paper was not the hardware estimate but the attack geometry. A nation-state or well-funded actor that achieves quantum capability would have no incentive to announce it. According to the BIP-361 proposal, a quantum attacker could “compute the private key for known public keys then transfer all funds weeks or months later, in a covert bleed to not alert chain watchers. Q-Day may be only known much later if the attack withholds broadcasting transactions in order to postpone revealing their capabilities.”
This is the detail that makes governance urgency real: Bitcoin holders might not know their coins are already gone.
BIP-361: Three Phases, One Deadline, Fierce Backlash
The proposal that has generated the most controversy is not CZ’s informal podcast comment. It is Bitcoin Improvement Proposal 361, formally titled “Post Quantum Migration and Legacy Signature Sunset,” published April 14, 2026 by Jameson Lopp and five co-authors: Christian Papathanasiou, Ian Smith, Joe Ross, Steve Vaile, and Pierre-Luc Dallaire-Demers.
BIP-361 builds on a companion proposal, BIP-360, published February 11, 2026, which introduced a new quantum-resistant address format called P2MR (Pay-to-Merkle-Root). BIP-360 provides the foundation; BIP-361 is the enforcement mechanism.
The proposal lays out three phases:
Phase A activates roughly three years after BIP-360. At that point, no new Bitcoin transactions can send funds to quantum-vulnerable address types. Existing holders can still spend from vulnerable addresses and move coins to protected ones; new deposits to vulnerable formats become impossible. This narrows the attack surface with each new transaction.
Phase B activates approximately two years after Phase A — five years from BIP-360 in total. At that point, legacy ECDSA and Schnorr signatures become invalid at the consensus level. Any Bitcoin that has not migrated is effectively frozen: it cannot be moved under network rules, regardless of who holds the private key. This is the provision that critics describe as confiscatory.
Phase C, still under active research, would introduce a rescue mechanism using zero-knowledge proofs tied to BIP-39 seed phrases. A holder who missed the deadline but still possesses their original seed phrase could theoretically prove ownership through a ZK proof and recover frozen coins without exposing private keys. This phase is the most technically speculative element of the proposal.
Lopp has been candid about his ambivalence. On X, he wrote: “I know people don’t like this proposal. I don’t like it either. But I wrote it because I dislike the alternative even more.” The alternative he described: a quantum attacker reaching into the exposed address pool and extracting coins at will, with no network-level defense.
The community backlash was immediate. Bitcoin Magazine editor Brian Trollz rejected the proposal outright. TFTC founder Marty Bent called it “ridiculous.” Metaplanet’s head of business development, Phil Geiger, summarized the critique with dark irony: “We have to steal people’s money to prevent their money from being stolen.” On Reddit, commenters described BIP-361 as a violation of Bitcoin’s foundational promise that no one can touch coins without the owner’s keys.
BIP-361 remains in draft status. No activation timeline exists. Bitcoin Core and the broader developer community have not formally endorsed it.
Three Proposals, Three Philosophies on What to Do
The CoinDesk article published today surfaced a cleaner taxonomy of the community’s positions than any prior coverage.
Michael Terpin, founder and CEO of Transform Ventures and a figure active in Bitcoin since its early years, drew a firm philosophical line. “While I appreciate the proactivity in CZ’s proposal, it begins a slippery slope of creating permission in a permissionless system relative to personal property,” Terpin said. He offered a contrarian economic take: if quantum thieves eventually accessed Satoshi’s coins and dumped them on the market, the resulting price crash would be painful but temporary. “It would be a one-time episode and post-quantum bitcoin would recover,” he said. Terpin also questioned whether Bitcoin’s decentralized community could ever form consensus quickly enough: “Considering it took years just to implement SegWit, I doubt a quick consensus could be formed here.”
Jameson Lopp rejected the framing of CZ’s remark as a proposal at all. “I don’t really consider it a proposal so much as him musing upon the threat,” Lopp said. His own BIP-361 framed the issue differently: not whether to freeze Satoshi’s specific coins, but whether Bitcoin can coordinate a network-wide migration to quantum-resistant cryptography before a quantum computer exists. “I think this is not a binary debate of ‘to freeze or not to freeze.'”
Matt Hougan, chief investment officer at Bitwise Asset Management, declined both poles. He endorsed a third path: a proposal by Nic Carter of Castle Island Ventures that would place Satoshi’s bitcoin into a legal trust until ownership could be proven through historical electronic records. “I actually like Nic Carter’s proposal,” Hougan said. “It avoids the philosophical challenges of both CZ’s suggestion and the ‘let whatever happens’ perspective.” Hougan noted that the market already prices Satoshi’s holdings as permanently unavailable, and that almost any active intervention creates more risk than the status quo: “I don’t think there is any way that developments around Satoshi’s coins are positive for the ecosystem.”
A fourth technical path, called Provable Address-Control Timestamps or PACTs, was proposed May 1, 2026 by Dan Robinson of Paradigm. PACTs would let holders privately timestamp cryptographic proofs of ownership today — using BIP-322 message signing and the OpenTimestamps service, which anchors data to the Bitcoin blockchain — and later use quantum-resistant STARK zero-knowledge proofs to unlock their coins if the network eventually implements a sunset soft fork. The system requires no onchain transaction and reveals nothing publicly. If Satoshi is alive and still controls those private keys, PACTs would allow proof of that control without ever stepping into the public eye.
PACTs require future STARK verification infrastructure via a soft fork and depend on community consensus that has not been achieved. But they represent the most privacy-preserving option on the table — and the one that does not require a holder to move or reveal anything now.
Bitcoin Has No Mechanism to Decide in Time
The debate over CZ’s proposal, BIP-361, PACTs, and the Nic Carter trust reveals a structural problem that goes beyond any of the specific options: Bitcoin has no mechanism for making this kind of decision quickly.
Bitcoin’s governance operates through emergent consensus. Protocol changes are proposed as BIPs, debated publicly, implemented in software by developers, and activated on the network only when enough miners, node operators, and exchanges independently choose to run the updated code. There is no formal vote, no leadership authority, no emergency process. As the SegWit upgrade demonstrated between 2015 and 2017, even changes with broad conceptual support can take years to activate through genuine consensus. The 2013 blockchain fork emergency was resolved quickly only because the community was small and the crisis was acute and unambiguous. The DAO hack in 2016, where Ethereum’s community ultimately chose to hard-fork the chain to reverse a theft, is the closest precedent — and it split the ecosystem permanently into Ethereum and Ethereum Classic.
Freezing quantum-vulnerable addresses is categorically different from any prior Bitcoin protocol change. Every previous upgrade altered what Bitcoin could do. This one would alter who can spend coins they already own. The governance model was deliberately designed to make exactly this kind of intervention extraordinarily difficult. That design is a feature in ordinary circumstances. It becomes a liability if a cryptographically relevant quantum computer arrives before consensus on a migration path does.
The covert-bleed attack model makes the governance window even narrower. A nation-state or well-funded adversary that achieves quantum capability has every incentive to exploit it quietly. By the time on-chain transaction patterns alert researchers that something unusual is happening, the attacker may have been draining wallets for months. The Bitcoin community would be deciding whether to activate a migration framework after the attack has already begun — and after the attacker has already revealed capability by broadcasting the stolen coins.
Lopp warned that even the credible threat of such an attack — before any wallet is actually drained — would be sufficient to trigger market-wide panic. On Polymarket, the odds for “Will Satoshi Nakamoto move any Bitcoin in 2026?” stood at approximately 9.3% as of recent data, up from 4.5% at the start of the year, suggesting the market has already begun pricing in heightened uncertainty around those wallets.
What Bitcoin Holders Can Do Right Now
No Bitcoin holder is required to take immediate action. No proposal to freeze dormant wallets has entered Bitcoin’s formal governance process, and no migration timeline has been established. But several steps are available to holders who want to reduce their personal quantum exposure.
The most consequential change is address format. Pay-to-Public-Key addresses — common in Bitcoin’s first two years and still holding a portion of Satoshi’s stash — permanently expose public keys. Any holder who received Bitcoin to a P2PK address and has not moved those coins should treat migration to a modern address type as a priority once BIP-360’s quantum-resistant format achieves mainnet activation. In the meantime, Pay-to-Taproot (P2TR) addresses delay key exposure until a spend is signed, reducing the window of vulnerability.
Holders who want to preserve optionality under the PACTs framework can take an additional step today: generate a BIP-322 signed control proof for their vulnerable addresses and anchor the proof via OpenTimestamps. This requires no onchain transaction, costs nothing in fees, and creates no public record. If Bitcoin later implements STARK verification via soft fork, a PACTs holder would have a credible rescue path for coins that might otherwise be frozen. If Bitcoin never implements that infrastructure, the timestamps are simply unused files.
Institutional holders and exchanges should monitor the progress of BIP-360 toward mainnet activation. The timeline from BIP-360 activation to Phase B of BIP-361’s freeze — if both pass — is five years. That window is the migration clock. Custodians who wait for the deadline to migrate client funds will face the same coordination problem at scale.
Frequently Asked Questions
How can quantum computers actually break Bitcoin’s encryption?
Bitcoin’s security depends on the mathematical impossibility of deriving a private key from a public key using classical computers — a problem called the Elliptic Curve Discrete Logarithm Problem. A 1994 algorithm called Shor’s algorithm, run on a sufficiently powerful quantum computer, solves this problem in polynomial time rather than the effectively infinite time it would take classically. When someone sends Bitcoin, they publish their public key to the blockchain permanently. A quantum computer running Shor’s algorithm against that public key could then derive the private key and spend the associated coins. Google’s March 30, 2026 whitepaper reduced the estimated hardware requirement from approximately 9 million physical qubits (2023 estimate) to fewer than 500,000 — a 20-fold compression — with an attack runtime measured in minutes rather than days. No quantum computer capable of this attack exists today.
What is BIP-361, and what would it actually do to coins that don’t migrate?
BIP-361, authored by Jameson Lopp and five co-authors and published April 14, 2026 on GitHub, proposes a three-phase protocol transition. Phase A would prevent new Bitcoin from being sent to quantum-vulnerable address formats, starting roughly three years after a prerequisite quantum-resistant address upgrade (BIP-360) activates. Phase B, five years after BIP-360, would invalidate legacy ECDSA and Schnorr signatures at the network consensus layer — meaning any coins still in vulnerable addresses after that date cannot be moved at all, regardless of who holds the private key. Phase C, still in research, would offer a zero-knowledge proof rescue path for holders who missed the deadline but still possess their original seed phrase. The proposal remains a draft. No activation timeline exists, and the Bitcoin developer community has not reached consensus on it. You can read BIP-361 in full on GitHub.
What happens if Bitcoin’s governance cannot agree on a quantum migration plan before a quantum computer arrives?
This is the question Bitcoin’s governance structure was not designed to answer quickly. If a cryptographically relevant quantum computer arrives before the community achieves consensus on a migration framework, a well-funded attacker with quantum capability could begin draining exposed addresses quietly — computing private keys from public ones and waiting weeks or months before broadcasting any transactions, to avoid revealing their capability. The community might not detect the attack until long after it has begun. At that point, any intervention — freezing addresses, approving a fork — would require an emergency consensus process that has no precedent at Bitcoin’s current scale. The Ethereum community’s DAO hard fork in 2016 provides one historical analogy, but that decision split Ethereum permanently. Bitcoin has never reversed a transaction and has a governance culture that treats immutability as a core value. Whether that culture can adapt under a genuine quantum attack timeline remains entirely unresolved.
If I’m an ordinary Bitcoin holder, is there anything I should do right now?
No immediate action is required. But holders can reduce future quantum exposure in a few steps. First, check which address format holds your coins: P2PK addresses (common in 2009–2010) permanently expose public keys; P2TR (Taproot) addresses are the most modern and delay key exposure until a spend. Second, if you have coins in older address formats, plan to migrate them to a quantum-resistant address type once BIP-360 achieves mainnet activation — the five-year window from BIP-360 to BIP-361’s freeze deadline, if both pass, is the migration clock. Third, if you want to preserve a recovery path under the PACTs framework without moving coins or revealing anything publicly, you can create a BIP-322 signed control proof anchored via OpenTimestamps today at no cost. None of these steps eliminates the underlying governance uncertainty — only community consensus on a migration path can do that.










































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































