In the event that quantum computers one day become capable of breaking Bitcoin’s cryptography, around 1 million BTC attributed to Satoshi Nakamoto, the creator of the Bitcoin network, could become vulnerable to theft.
At today’s price of around $67,600 per bitcoin, that cache alone would be worth approximately $67.6 billion.
But Satoshi’s coins are only part of the story.
Estimates circulating among analysts suggest that about 6.98 million bitcoins could be vulnerable in a sufficiently advanced quantum attack, Ki Young Ju, the founder of CryptoQuant, recently wrote on X. At current prices, the total amount of coins currently exposed represents about $440 billion.
The question, which is now becoming more and more prevalent in and outside of bitcoin circles, is simple and at times quite controversial
Why some coins are exposed
Vulnerability is not uniform. In Bitcoin’s early years, P2PK transactions embedded public keys directly on the chain. Modern addresses typically only reveal a hash of the key until coins are spent, but once a public key is revealed through early mining or address recycling, this exposure is permanent. In a sufficiently advanced quantum scenario, these keys could in theory be reversed.
Neutrality vs. intervention
For some, freezing these coins would undermine bitcoin’s fundamental neutrality.
“Bitcoin’s structure treats all UTXOs equally,” said Nima Beni, founder of Bitlease. “It does not discriminate based on wallet age, identity, or perceived future threat. That neutrality is fundamental to the credibility of the protocol.”
Creating exceptions, even for security reasons, changes that architecture, he said. Once there is authority to freeze coins for protection, it also exists for other reasons.
Georgii Verbitskii, founder of crypto investor app TYMIO, raised a relevant concern: the network has no reliable way to determine which coins are lost and which are simply dormant.
“It is virtually impossible to distinguish between coins that are truly lost and coins that are simply dormant,” Verbitskii said. “From a protocol perspective, there is no reliable way to tell the difference.”
For this camp, the solution lies in upgrading cryptography and enabling voluntary migration to quantum-resistant signatures instead of rewriting ownership conditions at the protocol layer.
Let the math decide
Others argue that intervention would violate Bitcoin’s core principle: private keys control coins.
Paolo Ardoino, CEO of Tether, suggested that allowing old coins to come back into circulation, even if through quantum breakthroughs, may be preferable to changing consensus rules.
“Any bitcoin in lost wallets, including Satoshi (if not alive), will be hacked and put back into circulation,” he continued. “Any inflationary effect of lost coins returning to circulation would be temporary, the thinking goes, and the market would eventually absorb it.”
Under this view, “code is law”: if cryptography evolves, coins move.
Roya Mahboob, CEO and founder of the Digital Citizen Fund, took a similarly hardline stance. “No, freezing old addresses from the Satoshi era would violate immutability and property rights,” she told CoinDesk. “Even coins from 2009 are protected by the same rules as coins mined today.”
If quantum systems eventually crack exposed keys, she added, “whoever solves them first should claim the coins.”
However, Mahboob said she expects upgrades driven by ongoing research among Bitcoin Core developers to strengthen the protocol before any serious threat materializes.
The case for burning
Jameson Lopp said that allowing quantum attackers to sweep vulnerable coins would amount to a massive redistribution of wealth to whoever gains access to advanced quantum hardware first.
In his essay Against Allowing Quantum Recovery of Bitcoin, Lopp rejects the term “confiscation” when describing a defensive soft fork. “I don’t think ‘confiscation’ is the most accurate term to use,” Lopp wrote. “Rather, what we’re really discussing would be better described as ‘burning’ rather than placing the funds out of reach for everyone.”
Such a move would likely require a soft fork that renders vulnerable outputs unusable unless they are migrated to upgraded quantum-resistant addresses by a deadline—a change that would require broad social consensus.
Allowing quantum recovery, he adds, would reward technological superiority over productive participation in the network. “Quantum miners don’t trade anything,” Lopp wrote. “They are vampires who feed off the system.”
How close is the threat?
While the philosophical debate intensifies, the technical timeline remains disputed.
Zeynep Koruturk, managing partner at Firgun Ventures, said the quantum community was “flabbergasted” when recent research suggested that fewer physical qubits than previously thought may be needed to break widespread encryption systems like RSA-2048.
“If this can be proven in the lab and confirmed, the timeline for decrypting RSA-2048 could in theory be shortened to two to three years,” she said, noting that advances in large-scale fault-tolerant systems would eventually also apply to elliptic curve encryption.
Others urge caution.
Aerie Trouw, co-founder and CTO of XYO, believes that “we’re still far enough away that there’s no practical reason to panic,”
Frederic Fosco, co-founder of OP_NET, was more direct. Even if such a machine did appear, “you upgrade the cryptography. That’s it. This is not a philosophical dilemma: it’s a technical problem with a known solution.”
In the end, the issue is one of governance, timing and philosophy — and whether the Bitcoin community can reach consensus before quantum computing becomes a real and present threat.
Freezing vulnerable coins would challenge Bitcoin’s claim of immutability. Allowing them to be swept away would challenge its commitment to justice.
