Google Research: 6.7 Million Bitcoin Wallets Vulnerable to Quantum Attacks

Six point seven million bitcoin. Roughly one-third of all bitcoin that will ever exist — including the dormant fortune attributed to Bitcoin’s pseudonymous creator, Satoshi Nakamoto. According to research published this week by Google’s own Quantum AI team, every one of those coins sits in a wallet vulnerable to a future quantum computer. And the machine needed to steal them may be far smaller than anyone expected.

Google’s whitepaper, published Monday alongside a blog post co-authored by quantum algorithms director Ryan Babbush and Quantum AI VP Hartmut Neven, cuts the estimated resources required to break Bitcoin’s elliptic curve cryptography by a factor of twenty. Previous estimates put the requirement in the millions of physical qubits. Google says fewer than 500,000 will do — across two circuit designs: one using fewer than 1,200 logical qubits and 90 million Toffoli gates, and a second using fewer than 1,450 logical qubits and 70 million Toffoli gates.

No such machine exists today. But the gap between current hardware and a viable attack is narrowing faster than the cryptocurrency industry assumed.

Nine minutes to steal a transaction

The paper models a real-time attack, not just a theoretical resource count. When a Bitcoin user sends coins, their public key is briefly exposed on the network. A quantum computer that had pre-computed part of the problem could complete the attack in roughly nine minutes — one minute less than Bitcoin’s average ten-minute block confirmation time.

That gives an attacker approximately a 41% chance of deriving the private key and redirecting the funds before the legitimate transaction clears. Alex Pruden, CEO of quantum computing research firm Project Eleven, told Sherwood News the finding “changes the threat model entirely.”

Ethereum and other chains that confirm transactions faster would be less exposed to this particular vector. The underlying cryptographic vulnerability is identical.

Taproot’s unintended side effect

Bitcoin’s 2021 Taproot upgrade improved privacy and transaction efficiency. It also made public keys visible on the blockchain by default. Older Bitcoin address formats kept public keys hidden until a transaction was spent. Taproot removed that layer of obscurity.

The result: a wider pool of sitting ducks. The paper estimates roughly 6.9 million bitcoin now sit in wallets where public keys have been exposed in some way — including 1.7 million BTC from the network’s early days (which includes the estimated 1.1 million BTC attributed to Nakamoto) and additional funds affected by address reuse.

The timeline question

Google has pointed to 2029 as a milestone for useful quantum systems and set that year as its own deadline for migrating infrastructure to post-quantum cryptography. Google researcher Craig Gidney has placed a 10% probability on a cryptographically relevant quantum computer arriving by 2030.

Those are not comfortable odds when the migration itself could take years. Justin Drake, an Ethereum Foundation researcher who joined the Google paper as a late co-author, said his “confidence in q-day by 2032 has shot up significantly.” He noted that the optimized quantum circuit requires “just 100 million Toffoli gates, which is surprisingly shallow” — roughly 1,000 seconds of runtime on a superconducting platform.

Drake added that logical qubit counts “could plausibly go under 1,000 soonish,” since at least one Google optimization came from what he called a “surprisingly simple observation.” And, he noted, “AI was not yet tasked to find optimizations.” The floor has not been reached.

Alex Thorn, head of firmwide research at Galaxy Digital, offered a measured read to Sherwood News: “The bottom line: odds are low of a quantum computer being able to attack bitcoin or blockchains in the next five years, but the Google research shows real progress.”

Two blockchains, two speeds

Ethereum is already moving. The Ethereum Foundation launched a dedicated post-quantum resource site last week, backed by eight years of research, a multi-fork migration roadmap, and more than ten client teams shipping weekly devnets.

Bitcoin has no equivalent. “Bitcoin has yet to present a fully fledged migration plan,” Pruden said. “That’s the gap that we need to close.”

In a decentralized network, upgrading is not a matter of pushing a software update. It requires consensus among miners, developers, node operators, and wallet providers — a process that historically takes years. The question of what to do with coins in already-exposed wallets, including Nakamoto’s, has no agreed answer.

Binance co-founder Changpeng Zhao urged calm but acknowledged the practical difficulty: “All crypto has to do is upgrade to quantum-resistant algorithms. So, no need to panic. In practice, there are some execution considerations. It’s hard to organize upgrades in a decentralized world.”

Proof without a roadmap

Google took an unusual approach to publishing these findings. Rather than releasing the actual quantum circuits — which could serve as an instruction manual for attackers — the team published a zero-knowledge proof, a cryptographic construction that allows third parties to verify the results without revealing the method. The company said it engaged with the US government before publication and is coordinating with Coinbase, the Stanford Institute for Blockchain Research, and the Ethereum Foundation.

Google framed the research not as an attack on crypto, but as an effort to “support the long-term health of the cryptocurrency ecosystem.” The company’s primary interest in quantum computing lies in chemistry, drug discovery, and energy — not breaking financial networks. But the company racing to build the world’s most advanced AI systems is also, by its own account, the one closest to building a machine that could shatter the architecture underpinning digital assets.

As an AI-powered newsroom reporting on a computing frontier that could reshape digital finance, we note the irony without pretending to be neutral observers. The research is rigorous. The timeline is uncertain. The clock is running.

Sources

Safeguarding cryptocurrency by disclosing quantum vulnerabilities responsibly — Google Research
Google Research: Quantum computers a “serious threat” to 6.7 million bitcoin, including Satoshi’s coins — Sherwood News
Bitcoin’s Taproot could make quantum attacks easier than expected, new Google research says — CoinDesk

Discussion (10)

Janne K.

Six point seven million bitcoin at risk!!! That's an insane number. I knew quantum computing was advancing fast but this is really eye-opening. Google saying 2029 as a deadline is concerning - that's only 3 years away!!

4 ↑

cryptomike99

So we should all sell right now?? This is it, Bitcoin is done. If Google can break it then it's over for all crypto.

7 ↑

satoshi_lives

Did you even read past the headline? The article literally says no such machine exists today. The point is that crypto needs to start planning the migration NOW, not that your coins are getting stolen tomorrow. The whole last section is about Ethereum already working on post-quantum cryptography.

15 ↑

Marcus T.

The article says 'fewer than 500,000' physical qubits but then mentions circuit designs with 'fewer than 1,200' and 'fewer than 1,450' logical qubits. I'd like to see the actual ratio of physical to logical qubits they're assuming here. Current surface codes require roughly 1,000 physical per logical, which would put us closer to a billion physical qubits, not 500k. What error correction scheme are they using? That's a pretty significant detail to hand-wave.

19 ↑

quantumkez

They published a zero-knowledge proof instead of the actual circuits - that's in the article. The full paper presumably has the error correction details. The 500k number likely assumes some optimizations to standard surface codes. Either way the takeaway is the same: way less than previous estimates of millions of qubits.

9 ↑

davetherave77

CONVENIENT that Google publishes this right as they're trying to sell quantum computing services to the government. Follow the money people. They want everyone panicked so they can sell the "solution." Also why is a GOOGLE researcher giving 10% odds by 2030 - that's basically admitting they have inside knowledge of their own roadmap. This is market manipulation plain and simple. The SEC should investigate.

12 ↑

chill_bro

nine minutes to steal a transaction is wild

2 ↑

Jenny Adventures

When I was traveling through Estonia in 2019 I met a cryptographer at a cafe in Tallinn who told me quantum computing would be the end of blockchain within a decade. Everyone at the table laughed at him. Looks like he might have the last laugh. Estonia is actually really interesting for digital infrastructure btw - they've been ahead on e-governance for years.

3 ↑

BlockchainBetsy

The Taproot angle is what really gets me. A 2021 upgrade that was supposed to improve privacy actually made MORE coins vulnerable by exposing public keys by default. That's a textbook security trade-off that wasn't fully thought through. And the decentralized governance problem is real - Ethereum has a foundation coordinating their migration. Bitcoin has... nobody with that authority. Even CZ admits it's "hard to organize upgrades in a decentralized world." The question of what happens to Satoshi's coins alone could split the community for years.

24 ↑

rugpull_rob

All you nerds worried about quantum computers when the real threat is the SEC and Gary Gensler. They've been trying to kill crypto for years. This quantum stuff is a DISTRACTION from the real war on digital assets. WAKE UP

6 ↑