Few questions in Bitcoin generate as much heat and as little clarity as the quantum one. The short answer in 2026 is this: Bitcoin is not under threat today, the threat is genuine on a long enough horizon, and the network has not yet adopted a defence. This guide explains the actual attacks, the realistic timeline, and what a holder can sensibly do — without the doom and without the hand-waving.

It is worth being precise from the start, because most “quantum kills Bitcoin” headlines collapse two very different problems into one. Understanding the difference is the whole game.

Two Different Attacks, Not One

The first attack targets digital signatures. Bitcoin uses elliptic-curve cryptography — specifically the secp256k1 curve with ECDSA — to prove ownership of coins. A sufficiently powerful quantum computer running Shor's algorithm could, in principle, derive a private key from its corresponding public key. This is the realistic long-term concern.

The second attack targets mining and the hash function, SHA-256. Here the relevant quantum tool is Grover's algorithm, which offers only a quadratic speed-up rather than the exponential break Shor's provides. That makes the hashing layer far more resilient: a quantum miner would be faster, but not catastrophically so, and the difficulty adjustment absorbs much of the effect. When people say quantum computing could “break Bitcoin,” they almost always mean the signature problem, not the mining one.

When Is a Public Key Actually Exposed?

This is the detail that changes everything. Modern Bitcoin addresses do not show your public key. Address types such as P2PKH, P2WPKH and P2TR publish only a hash of the public key. The key itself becomes visible only when you spend from that address, because the spending transaction reveals it.

That leaves three categories of genuinely exposed coins. First, reused addresses: once you have spent from an address, its public key is public forever, so any remaining or future balance there is exposed. Second, old pay-to-public-key (P2PK) outputs from Bitcoin's earliest era, which published the raw public key by design — a category that includes a large share of the so-called Satoshi-era coins. Third, the brief window between broadcasting a transaction and its confirmation, during which the public key is visible but the coins have not yet moved.

A research paper from Google illustrated the stakes by showing how a sufficiently advanced quantum computer could derive a private key from an exposed public key in minutes. The phrase doing the heavy lifting in that sentence is “sufficiently advanced.”

How Far Away Is the Hardware?

No quantum computer that exists today can break Bitcoin's cryptography, and that is not a close call. The honest way to track progress is to watch public demonstrations. In April 2026, independent researcher Giancarlo Lelli broke a 15-bit elliptic-curve key using publicly accessible quantum hardware, claiming a one-bitcoin bounty from the security firm Project Eleven. That result was roughly a 512-fold improvement over a comparable demonstration from September 2025.

It still leaves an enormous distance to cover. Bitcoin's keys sit on a 256-bit curve, and the difficulty of the problem does not scale linearly — the gap between cracking 15 bits and cracking 256 bits is astronomical, not incremental. Expert opinion reflects that uncertainty. Cathie Wood's ARK Invest has called quantum a long-term risk rather than an imminent threat. A Nobel-winning physicist has warned that it could arrive sooner than the industry assumes. Coinbase's advisory board has said the threat is on the horizon and that crypto needs a plan. The defensible read is a horizon measured in years, plausibly a decade or more, with real disagreement at the edges.

The reason estimates vary so widely is the gap between physical and logical qubits. Breaking a 256-bit elliptic-curve key is generally estimated to need thousands of stable, error-corrected logical qubits — and each logical qubit may require hundreds or thousands of physical qubits to suppress errors. Today's most advanced machines operate at a tiny fraction of that scale, and error correction, not raw qubit count, is the harder engineering problem. Progress is real, but it is not a straight line, and a single demonstration does not collapse the timeline.

‘Harvest Now, Decrypt Later’

Here is why the preparation timeline is shorter than the threat timeline. A public key, once exposed, is exposed permanently. An attacker does not need a working quantum computer today; they need only to record exposed public keys today and wait. The day capable hardware exists, every coin sitting behind an already-exposed key could be drained. This is the “harvest now, decrypt later” problem, and it is the reason serious people argue Bitcoin should add a defence well before the hardware is real.

The Defence: Post-Quantum Cryptography

The cryptography community is not standing still. In August 2024, the U.S. National Institute of Standards and Technology finalised three post-quantum standards: ML-KEM for key encapsulation, ML-DSA for digital signatures, and SLH-DSA, a hash-based signature scheme. It added a fourth algorithm, HQC, as a backup standard in March 2025. These give engineers vetted building blocks for quantum-resistant systems.

Other networks are moving. The Ethereum Foundation has proposed quantum-safe signature designs, and several chains are experimenting with quantum-resistant wallet schemes. For Bitcoin, adding a post-quantum signature type would require a soft fork, followed by a long migration as users move funds to new, quantum-safe address formats. Proposals also exist for how to handle old and lost coins whose owners can no longer move them — a thorny question explored in coverage such as this CoinDesk report on protecting the Satoshi-era stash. None of this is a single switch; it is a multi-year coordination effort.

What a Holder Can Do Today

None of the following is urgent in 2026, but each is sensible hygiene and costs nothing:

  • Do not reuse addresses. Use a fresh receiving address for each transaction. Modern wallets do this automatically — let them.
  • Avoid large balances behind exposed keys. Funds left in reused addresses or old P2PK outputs are the most exposed category; consolidating them into fresh, unspent addresses reduces that exposure.
  • Keep wallet software updated. When a quantum-resistant upgrade ships, you will need current software to use the new address types.
  • Ignore “quantum-proof” token marketing. Projects claiming to have already solved the problem, and selling a token on that basis, are a classic scam pattern. Quantum resistance is an engineering process, not a product you buy.

The Realistic Bottom Line

Bitcoin is safe from quantum computers today, and will almost certainly remain so for years. The risk is real but not imminent, and the network has time to respond. What it does not have is infinite time: because exposed public keys cannot be un-exposed, the work of adopting a quantum-resistant signature scheme should begin well before any capable machine exists. For a holder, the correct posture is neither panic nor dismissal — it is to treat quantum as a long-horizon risk worth monitoring, follow the post-quantum standards process, and practise basic address hygiene in the meantime. For a fuller treatment, crypto.news maintains a detailed quantum-safety reference.

Frequently Asked Questions

Can a quantum computer steal my Bitcoin today? No. No quantum computer that exists in 2026 is remotely capable of breaking Bitcoin's 256-bit elliptic-curve cryptography. Public demonstrations have reached only about 15 bits.

Which Bitcoin is most at risk from quantum computing? Coins behind exposed public keys: reused addresses, old pay-to-public-key (P2PK) outputs from Bitcoin's earliest years, and the brief window while a transaction is unconfirmed. Funds in fresh, never-spent modern addresses only expose a hash of the key.

What does ‘harvest now, decrypt later’ mean? It describes an attacker recording exposed public keys today and waiting until a capable quantum computer exists to crack them. Because an exposed key stays exposed, the threat is stored up in advance.

Can Bitcoin be upgraded to resist quantum computers? Yes. It would require adding a post-quantum signature type through a soft fork, followed by a multi-year migration as users move coins to new quantum-safe address formats. Standards bodies have already finalised the underlying algorithms.

Should I sell my Bitcoin because of quantum risk? There is no evidence-based reason to sell over quantum risk in 2026. The sensible approach is to monitor the post-quantum standards process and practise good address hygiene, not to make decisions on headlines.

Disclaimer: This article is for information and education only. It is not financial, investment or legal advice. Cryptocurrencies are volatile and you can lose money. Always do your own research and consider speaking with a licensed financial professional before making any investment decision.