In the event that quantum computers are one day able to break Bitcoin’s cryptography, approximately 1 million BTC attributed to Satoshi Nakamoto, the creator of the Bitcoin network, could become vulnerable to theft.
At the current price of around $67,600 per bitcoin, that stash alone would be worth roughly $67.6 billion.
But Satoshi’s coins are only part of the story.
Estimates circulating among analysts suggest that approximately 6.98 million bitcoins may be vulnerable in a sufficiently advanced quantum attack, Ki Young Ju, founder of CryptoQuant, recently wrote on X. At current prices, the total amount of coins currently on display represents approximately $440 billion.
The question that is now becoming increasingly common inside and outside bitcoin circles is simple and sometimes quite controversial.
Why are some coins exposed?
Vulnerability is not uniform. In the early years of Bitcoin, payment to public key (P2PK) transactions incorporated public keys directly into the chain. Modern addresses typically reveal only a hash of the key until the coins are spent, but once a public key is exposed through early mining or address reuse, that exposure is permanent. In a sufficiently advanced quantum scenario, those keys could, in theory, be reversed.
Neutrality versus intervention
For some, freezing those currencies would undermine bitcoin’s fundamental neutrality.
“Bitcoin’s structure treats all UTXOs equally,” said Nima Beni, founder of Bitlease. “It does not distinguish based on wallet age, identity, or perceived future threat. That neutrality is critical to the protocol’s credibility.”
Creating exceptions, even for security reasons, disrupts that architecture, he said. Once the authority exists to freeze currencies for protection purposes, it also exists for other justifications.
Georgii Verbitskii, founder of crypto investment app TYMIO, raised a relevant concern: the network has no reliable way to determine which coins are lost and which are simply dormant.
“Distinguishing between coins that are actually lost and coins that are simply inactive is virtually impossible,” Verbitskii said. “From a protocol perspective, there is no reliable way to tell the difference.”
For this camp, the solution lies in updating cryptography and allowing voluntary migration to quantum-resistant signatures, rather than rewriting ownership conditions at the protocol layer.
Let the math decide
Others argue that intervention would violate Bitcoin’s founding principle: private keys control currencies.
Paolo Ardoino, CEO of Tether, suggested that allowing old currencies to re-enter circulation, even through quantum advancements, may be preferable to altering consensus rules.
“Any bitcoin in lost wallets, including Satoshi (if not alive), will be hacked and put back into circulation,” he continued. “It is thought that any inflationary effects caused by the return of lost coins to circulation would be temporary and would eventually be absorbed by the market.”
According to this vision, “code is law”: if cryptography evolves, currencies move.
Roya Mahboob, CEO and founder of Digital Citizen Fund, took a similarly hardline stance. “No, freezing old addresses from the Satoshi era would violate immutability and property rights,” he told CoinDesk. “Even coins from 2009 are protected by the same rules as coins mined today.”
If quantum systems eventually crack the exposed keys, he added, “whoever cracks them should claim the coins first.”
However, Mahboob said he expects updates driven by ongoing research among Bitcoin Core developers to strengthen the protocol before any serious threats materialize.
The burning case
Jameson Lopp said allowing quantum attackers to sweep up vulnerable coins would amount to a massive redistribution of wealth to whoever gains access to advanced quantum hardware first.
In his essay Against Allowing Bitcoin Quantum Recovery, Lopp rejects the term “forfeiture” when describing a defensive soft fork. “I don’t think ‘confiscation’ is the most accurate term to use,” Lopp wrote. “Rather, what we are actually discussing would be better described as ‘burning’ rather than putting funds out of everyone’s reach.”
Such a move would likely require a soft fork, rendering vulnerable products unusable unless they were migrated to enhanced quantum-resistant addresses by a deadline, a change that would require broad societal consensus.
Allowing quantum recovery, he adds, would reward technological supremacy rather than productive participation in the network. “Quantum miners don’t trade anything,” Lopp wrote. “They are vampires who feed on the system.”
How close is the threat?
While the philosophical debate intensifies, the technical schedule remains controversial.
Zeynep Koruturk, managing partner at Firgun Ventures, said the quantum community was “surprised” when recent research suggested that fewer physical qubits than previously assumed might be needed to break widely used encryption systems like RSA-2048.
“If this can be tested and corroborated in the laboratory, the timeframe for cracking RSA-2048 could, in theory, be shortened to two or three years,” he said, noting that advances in large-scale fault-tolerant systems would eventually be applied to elliptic curve cryptography as well.
Others urge caution.
Aerie Trouw, co-founder and CTO of XYO, believes that “we are still far enough away that there is no practical reason to panic.”
Frederic Fosco, co-founder of OP_NET, was more direct. Even if such a machine were to emerge, “cryptography is updated. That’s all. This is not a philosophical dilemma: it is an engineering problem with a known solution.”
In the end, the question is about governance, timing and philosophy, and whether the Bitcoin community can reach a consensus before quantum computing becomes a real and present threat.
Freezing vulnerable coins would challenge Bitcoin’s claim of immutability. Allowing them to be swept away would challenge their commitment to justice.
