Coinbase Council Warns Quantum Computing Could Expose 7 Million BTC

Bitcoin Faces Quantum Risk as Coinbase Council Warns of 7 Million BTC Exposure

Bitcoin’s long-term threat may not be a regulator, a rival chain, or some influencer’s latest moon-boy nonsense. It may be quantum computing — a future machine class that could one day crack today’s cryptography and turn old BTC ownership rules into a punchline.

• Coinbase’s quantum advisory council says Bitcoin needs a post-quantum plan now
• Roughly 7 million BTC could be exposed under worst-case assumptions
• The real fight is not just technical — it’s governance, property rights, and migration rules

Coinbase’s Quantum Computing and Blockchain Advisory Council is shining a brutal light on a problem Bitcoiners have mostly treated as distant background noise: what happens if a cryptographically relevant quantum computer, or CRQC, becomes powerful enough to break the signature schemes that protect Bitcoin ownership? The council’s June report, “Post-Quantum Migration and Abandoned Coins,” argues that this is not just a software upgrade issue. It is a governance fight hiding inside a cryptographic emergency.

Launched by Coinbase in January, the council includes Scott Aaronson, Dan Boneh, Justin Drake, Sriram Kannan, Yehuda Lindell, and Dahlia Malkhi. That is not a random grab bag of crypto Twitter personalities and venture bros. These are serious names in computer science and cryptography, and their warning is simple enough to understand: if quantum machines eventually break today’s cryptography, what happens to Bitcoin that can’t — or won’t — move to quantum-resistant addresses?

“If quantum machines eventually break today’s cryptography, what happens to Bitcoin (BTC) that can’t—or won’t—move to quantum-resistant addresses?”

That question matters because Bitcoin ownership is not magic. It depends on cryptographic signatures — specifically elliptic-curve cryptography, including ECDSA and Schnorr signatures — which prove that the spender has the private key controlling the coins. Think of the public key as the lock’s visible structure and the private key as the actual key. If a powerful quantum computer can use Shor’s algorithm to derive private keys from public keys, then some coins could become vulnerable to theft.

That is the core Bitcoin quantum risk. Not “quantum” in the vague sci-fi sense. Not “maybe someday a lab demo gets a headline.” The report is talking about a machine strong enough to compromise current blockchain signatures in a practical way. That is why the phrase cryptographically relevant quantum computer keeps coming up. It means a quantum machine that is useful against real-world cryptography, not a toy problem for a whiteboard convention.

The council cites warnings suggesting the chance of a CRQC by around 2030 may already exceed 50%. That is not a certainty, and it should not be treated like prophecy carved into stone. But it is also not a number to shrug off. Google reportedly has an internal target of 2029 for moving toward post-quantum cryptography, which is a useful reality check: major tech players are already laying the groundwork instead of waiting around for a cosmic RSVP from the future.

Bitcoin’s exposure is made worse by its own history. Early P2PK outputs — Pay to Public Key — reveal public keys directly on-chain. That means if quantum attacks ever become viable, those coins are sitting there with their face visible. The report estimates about 1.7 million BTC are locked in around 20,000 P2PK public keys. On top of that, on-chain analysis from Project 11 suggests up to 5 million BTC could be vulnerable because of address reuse and related habits. Put those together and the rough total lands near 7 million BTC at risk.

That number needs a little context. It does not mean 7 million BTC are definitely about to be stolen tomorrow. It means that under the kinds of assumptions this report is trying to warn about, that much Bitcoin may sit on address types or usage patterns that would be vulnerable if quantum attacks become practical. Some of those coins are dormant, some may be lost, and some may still be in active custody. In other words, this is not just a “forgotten wallet” problem. Exchange and custodian cold wallets may also be exposed if they rely on legacy practices or address reuse.

That is where the issue stops being a simple technical upgrade and turns into a political mess. The council says Bitcoin needs two things at once: a path to quantum-resistant cryptography and a decision on what to do with coins that never move. That second part is where the fight gets ugly.

One proposal is to burn legacy coins after a migration deadline. Burning coins means making them permanently unspendable — effectively removing them from circulation to protect the network from quantum theft. That would lower the attack surface, but it also raises a serious property-rights problem. If an owner misses the cutoff, should the network erase the coins? Bitcoin purists will hate that idea, and frankly, they have a point. If the rules can retroactively kill your funds, the “hard money” pitch starts to look a little less hard and a lot more conditional.

The opposite camp says do nothing beyond enabling quantum-safe address types and letting users choose their own level of risk. That keeps Bitcoin aligned with its hands-off ethos. It also leaves vulnerable coins as open season for anyone with a future quantum weapon. Freedom is great. So is not making yourself an easy target. There is a reason “please exploit me later” is not considered a healthy security strategy.

Between those extremes sit some more practical, if still messy, ideas:

Hourglass would limit withdrawals from vulnerable outputs per block, slowing any mass drain and giving the network breathing room.

BIP-361 proposes retiring old signature types after a cutoff, while still allowing recovery through zero-knowledge proof mechanisms such as SNARKs. A zero-knowledge proof lets someone prove something is true without revealing the underlying secret — useful if you want to show control of funds without exposing raw keys in a dangerous way.

PACTs would let users pre-commit transactions to quantum-safe addresses before attacks become viable, moving funds ahead of the risk window instead of after the fire alarm starts screaming.

None of these ideas is a silver bullet. That is the whole problem. Bitcoin is trying to solve a future threat without wrecking its own credibility in the present. If it protects dormant or lost coins too aggressively, it risks trampling on the property-rights ethos that gives Bitcoin much of its moral force. If it does too little, it may hand attackers a giant future jackpot. Welcome to governance under uncertainty — the part of decentralization that sounds noble until someone has to make the actual decision.

“The core problem is not merely technical. It is also a governance dilemma.”

“The industry may not know exactly when the threat arrives, but it cannot afford to wait for certainty before preparing.”

“The quantum era is not simply a cryptographic upgrade. It is a test of governance under uncertainty.”

That is the part a lot of Bitcoiners would rather not talk about. The network has long sold itself on the idea that rules are fixed, transparent, and resistant to human meddling. Post-quantum migration may force exactly the kind of collective decision-making that purists usually treat like radioactive waste. Who decides the deadline? Who enforces it? Is it a soft fork, a hard fork, or some hybrid coordination nightmare between wallets, exchanges, miners, and users who barely manage to update their apps on time? These are not academic questions. They are the whole ballgame.

Institutional adoption also hangs in the balance. Custodians, exchanges, ETF providers, and long-term holders need clarity on whether their assets will remain safe in a post-quantum world. If policy is vague, institutions will hesitate, lawyers will start salivating, and compliance teams will demand more paperwork than a mortgage broker with a caffeine addiction. Market integrity matters here, because uncertainty around post-quantum asset safety could become a real friction point for capital entering Bitcoin and other blockchains.

Bitcoin is not alone in facing this problem. Ethereum and other blockchain systems rely on signature schemes that would also need post-quantum migration. The difference is that Bitcoin’s early address formats and long-dormant holdings make the issue especially stark. The network’s greatest strength — immovable, rule-based ownership — can also become its greatest weakness if the underlying cryptography is outgunned.

That does not mean panic is justified. It does mean planning is overdue. The most responsible reading of the report is not “quantum is about to kill Bitcoin.” It is that Bitcoin should not wait for a theoretical crisis to become a practical one before designing the escape route. The threat may still be years away, but cryptographic migration in a system this large is not something you slap together in a weekend patch.

There is also a deeper lesson here for the broader crypto sector. A lot of projects love to brag about decentralization, but few want to confront what happens when technology forces uncomfortable tradeoffs between immutability, property rights, and collective security. Quantum computing is a reminder that no system gets to coast forever on past assumptions. The math changes. The rules have to follow.

What is the quantum threat to Bitcoin?

A sufficiently powerful quantum computer could use Shor’s algorithm to derive private keys from public keys, which would undermine Bitcoin’s current signature protections.

How much Bitcoin might be exposed?

The council’s warning points to roughly 7 million BTC potentially exposed when combining early P2PK outputs and address-reuse-related vulnerability.

Why are early Bitcoin outputs a problem?

P2PK outputs reveal public keys directly on-chain, making them easier targets if quantum attacks ever become practical.

Is this only about lost or dormant coins?

No. Some vulnerable BTC may still sit in exchange and custodian cold wallets, which makes the risk bigger than just abandoned holdings.

Should Bitcoin burn un-migrated coins?

That is one proposed route, but it is highly controversial because it would permanently invalidate coins that owners failed to move in time.

Are there middle-ground solutions?

Yes. Hourglass, BIP-361, and PACTs are all attempts to reduce quantum risk without forcing an immediate all-or-nothing purge.

Why does this matter for institutions?

Because custodians and large holders need a clear plan for post-quantum asset safety, or they may slow adoption and demand stricter custody rules.

What is the real issue here?

Not just cryptography — governance. Bitcoin may have to choose between preserving absolute property rights and protecting the network from future quantum theft.

Bitcoin has survived exchange blowups, government hostility, miner drama, and endless predictions of its death from people who clearly can’t tell a chart from a horoscope. Quantum computing is a different beast. It is not a meme, and it is not a marketing buzzword. It is a plausible future threat to the signatures that make Bitcoin ownership real.

The upside is that the warning is arriving early enough to do something about it. The downside is that doing something about it means facing hard questions nobody gets to dodge forever: migration deadlines, legacy address retirement, recovery rules, institutional custody, and whether “abandoned” coins should remain fair game for future quantum thieves. The community can either plan like adults now, or wait until the cryptographic floor drops out and start yelling about decentralization after the damage is done.