On March 31, 2026, Google's Quantum AI team dropped a 57-page paper that sent a very specific number ricocheting across crypto Twitter: nine minutes. That is how long, they calculated, a sufficiently powerful quantum computer would need to derive a private key from a public key and redirect a Bitcoin transaction before the network confirms it.
The average Bitcoin block time is ten minutes. Do the math, and the implication is unsettling. A quantum attacker has roughly a 41% chance of beating the blockchain itself.
Headlines exploded. Satoshi's million-coin fortune was declared vulnerable. The $2 trillion crypto market was pronounced imperiled. Jefferies reportedly advised clients to drop Bitcoin allocations entirely. And somewhere in the noise, the actual practical threat to ordinary holders got buried.
Here is what most coverage missed, and why your wallet is more exposed than Satoshi's.
What Google Actually Found (And What They Did Not)
The paper is not a hack announcement. No quantum computer today can do this. Google's Sycamore processor operates with 53 qubits. The attack they modeled requires roughly 500,000 physical qubits operating with error rates far below anything currently achievable.
The hardware does not exist. The timeline, according to Google's internal confidence curve, is 2029.
But the paper did something more important than predicting a date. It redefined the nature of the threat.
Previous estimates assumed quantum computers would target dormant wallets, harvesting public keys from the blockchain at leisure and cracking them offline. Google's team showed that a future machine could be "primed" in advance, pre-computing everything that does not depend on a specific public key.
Once a transaction hits the mempool and exposes the public key, the machine needs only nine minutes to finish the derivation. The attack shifts from static to real-time. It is no longer about old coins sitting still. It is about live transactions in flight.
Bitcoin's ten-minute block time was never designed as a security feature. It was a compromise between settlement speed and network propagation. Now it looks like a window.
The 6.9 Million Bitcoin Problem
Google's research identified approximately 6.9 million BTC, roughly one-third of the total supply, sitting in addresses where the public key has already been exposed. This breaks down into three categories:

The Satoshi coins grab the headlines because they represent mythology. But here is the critical distinction: Satoshi's bitcoins are in Pay-to-Public-Key addresses from 2009.
Those public keys have been visible on the blockchain for seventeen years. If a quantum computer ever reaches the capability Google modeled, those coins are the first target, not the most urgent. They are stationary. They can be cracked at leisure.
Your coins, if you have ever reused an address or spent from a Taproot wallet using the key-path, are in the second and third categories. And unlike Satoshi's dormant fortune, your public keys get exposed every time you transact.
The "Harvest Now, Decrypt Later" Reality
Sean Ren, co-founder of Sahara AI, put the immediate risk bluntly: "Bad actors are already collecting as much encrypted data as possible so that, when the tech is ready, all that archived data becomes readable."
This is not theoretical. State-level actors with long investment horizons are almost certainly downloading blockchain data today, cataloging exposed public keys, and building target lists for a future where quantum hardware catches up to quantum theory.
The "harvest now, decrypt later" strategy requires no quantum computer at all. It requires storage, patience, and a belief that the cryptographic wall will eventually fall.
For Bitcoin holders, this means the exposure you create today may outlast your own operational security. An address you reused in 2024, a transaction you made last month, a donation address you posted publicly, these are all being recorded by entities who plan to operate on a ten-year timeline.
Why Bitcoin Is More Vulnerable Than Ethereum or Solana
Here is where the blockchain comparison gets uncomfortable.

Bitcoin's longer block time, once a feature that allowed global consensus without high-speed infrastructure, becomes a liability in this specific threat model. Ethereum and Solana confirm transactions faster than a quantum machine could theoretically hijack them. Bitcoin's deliberate slowness creates the intercept window.
Bitcoin's governance structure compounds the problem. Migrating to post-quantum cryptography requires consensus across a decentralized network of miners, developers, node operators, and economic stakeholders. BIP-360, one of the leading proposals for removing exposed public keys from the blockchain, is currently on testnet.
Its co-authors estimate a full network migration could take seven years from proposal to universal adoption. Google's 2029 timeline for cryptographically relevant quantum computers leaves a narrowing margin that Bitcoin's governance was not designed to compress.
Ethereum, by contrast, has already begun integrating quantum-resistant signatures through its roadmap. The network's more centralized development structure allows faster protocol upgrades, for better or worse. Solana's high throughput makes real-time interception mathematically improbable.
Bitcoin's design philosophy, trust the code, slow and steady, no central authority, is exactly what makes it slow to adapt when the threat is time-bound.
What the Proposed Fixes Actually Do (And Do Not Do)
The developer community is not idle. Three major defensive proposals are in various stages of discussion:
BIP-360: Remove Exposed Public Keys This proposal would allow the network to "sweep" early P2PK outputs, including Satoshi's coins, into new quantum-resistant addresses. The political problem is obvious: it requires effectively confiscating, or at least forcibly relocating, the most famous unspent coins in crypto history. The technical problem is harder: how do you prove ownership of a quantum-resistant address for coins whose original private keys were lost or never tracked? BIP-360 solves the exposure problem by creating a new one.
SPHINCS+ and Hash-Based Signatures NIST standardized post-quantum cryptographic algorithms in 2024. SPHINCS+ is a hash-based signature scheme that is provably secure against quantum attacks. The trade-off is size. SPHINCS+ signatures are roughly 8 kilobytes, compared to ECDSA's 64 bytes. On a network where block space is scarce and transaction fees are market-priced, multiplying signature size by 100x has economic consequences that could price out small transactions entirely.
Hourglass V2: Time-Lock Delays This proposal would introduce mandatory time delays for spending from exposed addresses, giving the network time to detect and respond to quantum-derived signatures. It protects the 1.7 million early P2PK bitcoins but does nothing for the 5.2 million in reused addresses, because those keys are exposed dynamically, not historically.
None of these solutions are deployed. All of them require soft forks or hard forks that Bitcoin's governance has historically taken years to coordinate. The gap between threat timeline and adaptation timeline is the real story.
The Three Things You Should Actually Do
Panic is not a strategy. But neither is assuming this is a 2035 problem. Here is a practical framework for evaluating your own exposure:
1. Audit Your Address History If you have ever reused a Bitcoin address, your public key is on the blockchain permanently. If you have spent from a Taproot address using the key-path (the default in most modern wallets), your public key is visible. If you hold coins in very old wallets from before 2010, you are in the P2PK category. The only holders with zero historical exposure are those who have generated a new address for every receive, never spent, and never reused.
Most hardware wallets today generate new addresses automatically. But if you have ever posted a donation address, used a static payment address for business, or manually copied an old address for convenience, you have created exposure.
2. Stop Reusing Addresses Immediately This is the single most effective action available today. Every reuse broadcasts your public key to the permanent record. Modern wallets, including Ledger, Trezor, and most software implementations, use hierarchical deterministic (HD) wallets that generate fresh addresses automatically. Use them. If your workflow requires a static address, consider a Lightning Network invoice or a fresh address for every transaction.
3. Monitor Post-Quantum Migration Proposals BIP-360 and related proposals will require user action if they activate. The migration will not be automatic. You will need to move funds to new address formats, potentially through specific transactions that prove ownership without exposing additional keys. Follow the Bitcoin Core mailing list, the Bitcoin Improvement Proposal repository, and developer discussions. The time to understand the process is before the soft fork is scheduled, not after.
What This Means for the Broader Market
The quantum threat is not a Bitcoin-specific problem. It is a public-key cryptography problem. RSA, which secures the majority of internet traffic, banking infrastructure, and government communications, is equally vulnerable to Shor's algorithm. A quantum computer capable of cracking Bitcoin would crack SSL certificates, banking encryption, and classified communications first.
This is why some analysts, including Blockstream CEO Adam Back, argue that the practical quantum threat to Bitcoin is 20 to 40 years away. The reasoning is not that Bitcoin's cryptography is stronger than the banking system's. It is that the banking system is a higher-value target, and a quantum breakthrough would trigger a coordinated global response that upgrades all cryptographic standards simultaneously.
The counterargument is that Bitcoin's decentralized governance cannot coordinate like a central bank. While the Federal Reserve could mandate a cryptographic upgrade across the banking sector with a regulatory notice, Bitcoin requires economic majority consensus. The same feature that makes Bitcoin resistant to government seizure makes it resistant to rapid protocol adaptation.
Google's paper, in this reading, is less a death sentence for Bitcoin and more a stress test for its governance model. Can a decentralized network adapt to an existential threat on a centralized timeline? The next three years will answer that question.
The Verdict: Threat, Not Crisis
No quantum computer today can crack Bitcoin. The 2029 timeline is an estimate, not a promise, and estimates in quantum computing have a history of optimism. IBM's current flagship processor has 156 qubits. Google's has 53. The gap to 500,000 is not an engineering challenge. It is a physics challenge involving error rates, coherence times, and materials science that may prove harder than the qubit count itself.
But the "harvest now, decrypt later" threat is real today. The 6.9 million exposed bitcoins are real today. The governance bottleneck is real today. And the 41% intercept window against live transactions, if the hardware ever arrives, is a design feature of Bitcoin that cannot be easily changed without rearchitecting the network's consensus mechanism.
The headlines will continue to focus on Satoshi's million coins because mythology drives clicks. The practical focus should be on address reuse, wallet hygiene, and governance speed. Quantum computing is not coming for Bitcoin's founder. It is coming for anyone who has treated public keys as disposable and private keys as permanently safe.
The nine-minute window is a warning, not a countdown. How the network responds in the years before the hardware arrives will determine whether that window ever opens.
FAQ
Does a quantum computer exist that can crack Bitcoin today?
No. Current quantum processors operate with tens to hundreds of qubits. The attack Google modeled requires roughly 500,000 physical qubits with error rates far below current capabilities.
How much Bitcoin is actually at risk?
Google estimates approximately 6.9 million BTC, roughly one-third of the supply, sits in addresses where the public key has been exposed on the blockchain. This includes early P2PK addresses, reused addresses, and Taproot key-path spends.
Is Satoshi's fortune the most vulnerable?
Satoshi's ~1 million BTC are in early P2PK addresses with exposed public keys, making them theoretically vulnerable. However, they are dormant and can be cracked at leisure. Active wallets with reused addresses face a more immediate "harvest now, decrypt later" threat.
Can I protect my Bitcoin today?
Yes. Stop reusing addresses. Use modern HD wallets that generate fresh addresses automatically. Monitor post-quantum migration proposals. No immediate action is required, but good address hygiene permanently reduces your exposure.
Will Bitcoin upgrade to quantum-resistant cryptography?
Developers are actively working on proposals including BIP-360, SPHINCS+ signatures, and time-lock mechanisms. However, Bitcoin's decentralized governance means upgrades require broad consensus and typically take years to deploy. The timeline is uncertain.
Are other blockchains safer?
Ethereum and Solana have shorter confirmation times (12-15 seconds and 0.4 seconds respectively), making real-time transaction interception mathematically improbable. Ethereum has also begun integrating quantum-resistant signatures. However, all public-key cryptography faces the same long-term threat.
Key Takeaways
- Google's paper modeled a 9-minute quantum attack window against Bitcoin's 10-minute block time, creating a 41% intercept probability for live transactions.
- 6.9 million BTC sit in exposed addresses, but the real risk is "harvest now, decrypt later" attacks against reused addresses, not just Satoshi's dormant coins.
- Bitcoin's longer block time and slower governance make it more vulnerable than faster-moving chains like Ethereum and Solana.
- No quantum computer exists today that can execute this attack, but state actors are likely harvesting blockchain data for future decryption.
- The most practical protection is address hygiene: stop reusing addresses, use HD wallets, and monitor post-quantum upgrade proposals.