Bitcoin Faces Quantum Risk as Coinbase Council Warns of 7 Million BTC Exposure

Coinbase’s quantum computing and blockchain advisory council has thrown a difficult question back at the crypto industry: if quantum machines eventually break today’s cryptography, what happens to Bitcoin (BTC) that can’t—or won’t—move to quantum-resistant addresses?

In a report released in June titled “Post-Quantum Migration and Abandoned Coins”, the independent group argues that the core problem is not merely technical. It is also a governance dilemma with direct implications for market integrity, institutional participation, and the credibility of ‘ownership’ on a permissionless network.

The council, launched in January, brings together leading figures in cryptography and computer science, including Scott Aaronson (University of Texas at Austin), Dan Boneh (Stanford University), Justin Drake (Ethereum Foundation), Sriram Kannan (Eigen Labs and University of Washington), Yehuda Lindell (Coinbase and Bar-Ilan University), and Dahlia Malkhi (UC Santa Barbara). Rather than betting on a specific timeline, the authors frame their message around uncertainty: the industry may not know exactly when the threat arrives, but it cannot afford to wait for certainty before preparing.

The report’s premise is that quantum computers cannot yet crack major blockchains, but the arrival of a ‘cryptographically relevant quantum computer’ (CRQC)—powerful enough to compromise elliptic-curve signatures used by systems like Bitcoin (BTC) and Ethereum (ETH)—is plausible within the next decade. The council points to warnings suggesting the probability of such a machine emerging by around 2030 could be greater than 50%. Google, for its part, has previously indicated an internal target of 2029 to complete a shift toward post-quantum cryptography, underscoring how seriously major technology firms are treating the risk.

According to the advisory council, the post-quantum transition has two distinct challenges. The first is a pure engineering problem: how to migrate protocols and wallets to quantum-resistant signature schemes. The second is more politically fraught: how to deal with ‘abandoned coins’—funds that remain on legacy addresses and do not migrate, whether because keys are lost, owners are inactive, or custody is unclear.

Bitcoin (BTC) is singled out as the acute case due to early design choices and the scale of exposed funds. In the network’s early days, many coins were stored in ‘P2PK’ (Pay to Public Key) outputs, where the public key is visible on-chain. That matters because a sufficiently capable quantum computer could use Shor’s algorithm to derive a private key from a public key, allowing an attacker to spend funds without authorization.

The report estimates that roughly 1.7 million BTC are locked in about 20,000 P2PK public keys, many believed to be tied to early-era holders, including wallets often associated with Satoshi Nakamoto, or to users who lost their keys. Later address types such as P2PKH (Pay to Public Key Hash) improved safety by exposing only a hash of the public key—until a user spends from the address and reveals the public key, or repeatedly reuses the same address. Once revealed, the output becomes vulnerable in a post-quantum scenario.

Citing on-chain analysis from Project 11, the council says as many as 5 million BTC could be vulnerable due to address reuse and related practices. Combined with P2PK exposure, that implies roughly 7 million BTC may be at risk in a quantum-breakthrough scenario. Crucially, the report stresses that this is not just a story about long-lost coins: a significant portion of potentially exposed BTC is actively held and used today, including large exchange cold wallets. In other words, the problem extends beyond dormant “Satoshi-era” holdings and into the plumbing of modern market infrastructure.

From there, the report maps out two opposing “pure positions,” without endorsing either.

The first is ‘burning’ or invalidation via a protocol-enforced deadline. Under this approach, Bitcoin (BTC) would adopt quantum-resistant signatures and, after a defined cutoff, refuse to accept spends authorized under legacy schemes such as ECDSA or Schnorr. Any coins not moved by the deadline would effectively become unspendable forever. Proponents argue the logic is consistent with standard security practice: once a cryptographic primitive is broken, it should be deprecated. Because signatures function as proof of ownership, allowing quantum attackers to claim funds would be equivalent to transferring value to parties who are not the legitimate owners.

Supporters also point to systemic risks. A sudden flood of previously unspendable coins could shock supply dynamics and destabilize prices. There is also a geopolitical dimension: if a sanctioned actor were to seize a large trove of vulnerable BTC, it could undermine confidence in Bitcoin’s neutrality and legitimacy. Under this view, users who responsibly migrate should not suffer a network-wide ‘negative externality’ created by others’ inaction.

The second pure position is ‘do nothing’ beyond enabling quantum-resistant address types. This camp argues that choosing not to migrate—and bearing the risk of theft—is itself an expression of Bitcoin’s core principle: absolute, censorship-resistant property rights without centralized judgments. Burning funds, they say, is not meaningfully different from retroactively altering outcomes to correct theft, and could open the door to broader network-level ‘ownership sanctions’ once a precedent is set.

Practical uncertainty also weighs heavily on this side. A missed deadline might reflect neglect—but it could also reflect incarceration, delayed inheritance, institutional custody disputes, or temporary loss of access. Because the network cannot reliably distinguish these cases, critics argue that enforced invalidation risks punishing legitimate owners without due process. A more moderate version of this stance suggests postponing any decisive action until a quantum break is publicly demonstrated, rather than acting on forecasts.

Between the extremes, the advisory council outlines several compromise proposals designed to reduce systemic risk while preserving some path for legitimate recovery.

One idea, known as ‘Hourglass,’ would limit how much BTC can be withdrawn from P2PK outputs per block. By throttling the outflow—such as capping withdrawals to one BTC per block—even a quantum attacker could not dump a massive volume onto the market quickly, potentially reducing the risk of a disorderly price collapse. Unlike outright invalidation, Hourglass would still leave open a recovery route for rightful owners.

Another approach, ‘BIP-361,’ envisions banning ECDSA and Schnorr signatures after a cutoff while allowing owners to move funds by proving—via a zero-knowledge proof (ZK), potentially using a quantum-resistant SNARK—that they know the preimage of a private-key hash. The logic is that quantum computing may enable derivation of private keys from public keys, but it does not automatically confer the ability to invert secure hash functions. The report notes important limitations: this technique would apply primarily to keys derived from mnemonic or HD wallet seed phrases (such as BIP-32) and would not solve the earliest 2012-and-prior P2PK outputs.

A third proposal, ‘PACTs,’ targets owners who want to preserve privacy or reduce immediate on-chain signaling but still prepare. The mechanism uses Bitcoin’s timestamping properties to pre-commit a transaction that transfers coins from a vulnerable key to a quantum-safe address, embedding only a hash commitment on-chain ahead of time. Because the transaction is created before quantum-capable attacks are feasible, it could later be recognized as valid even after legacy signatures are disallowed. The council notes that these proposals are not mutually exclusive and could, in principle, be combined.

Despite cataloging options, the report stops short of recommending a single policy. Instead it emphasizes two imperatives. First, begin the technical migration work now—adopting quantum-resistant signatures is a distinct track from the governance debate over abandoned coins, and should not be delayed while the community argues over the hardest edge cases. Second, deliver clarity. The advisory council argues that uncertainty over how Bitcoin (BTC) will handle abandoned coins in a post-quantum scenario is already a barrier for ‘institutional participation,’ because it complicates custody risk models and long-term asset security assumptions.

The implications extend beyond theory. If a meaningful portion of vulnerable BTC sits in exchange and custodian cold wallets, then crypto market infrastructure—particularly in jurisdictions with large retail participation and regulated exchange sectors—faces a tangible operational audit question: which holdings are exposed by address type or key-reuse practices, and what is the migration plan if the threat horizon shortens?

More broadly, the coming debate forces Bitcoin’s community to confront a foundational tension: the absolutist interpretation of ‘code is law’ and unqualified property rights versus a more collective argument that the network may need to impose constraints—potentially even rendering some coins unspendable—to preserve economic security and market trust. The advisory council’s message is that the quantum era is not simply a cryptographic upgrade. It is a test of governance under uncertainty, and the decisions made well before a CRQC exists may shape how global capital ultimately evaluates Bitcoin’s resilience.