Quantum Threat to Cryptocurrency: 2026 News & Developments
Quantum computers that can steal Bitcoin are no longer a theoretical future problem. They are an engineering problem on a measurable timeline - and the cryptocurrency ecosystem has not started protecting itself. Quantum Resistant Ledger (QRL) has been quantum-safe since 2018 using XMSS signatures - the protection Bitcoin and Ethereum are still planning. See QRL 2.0 (Zond) and QRL FAQs.
Last updated: April 1, 2026
⚠️ The Quantum Threat: From Theory to Timeline
The physics has been proven across four independent teams on three continents, and scaling is now pure engineering. Nature (February 2026) confirmed a "vibe shift": usable quantum computers within a decade, not decades. Google's whitepaper reduces the physical qubit requirement for a Bitcoin attack to under 500,000 on a superconducting machine; Oratomic shows a neutral-atom machine with roughly 10,000 to 26,000 qubits, a scale already demonstrated in the lab, could execute the same attack in days. NIST, NSA, and the Federal Reserve have all issued formal warnings. The hardware timeline is compressing faster than the research community expected. The migration timeline is not moving at all.
The Key Numbers
$2.5 trillion in crypto rests on cryptographic foundations with a known quantum vulnerability. $54 billion in cumulative global government quantum investment is accelerating the timeline. Q-Day - when a quantum computer can break public-key cryptography - is now a question of engineering schedule, not physics.
Logical Qubits Required for Cryptographic Attacks
Algorithm
Logical Qubits
Physical Qubits (est.)
Threat Level
ECDSA-256 (Bitcoin/Ethereum)
1,098 min (qubit-constrained) - 1,200-1,450 (Google 2026)
Multiple companies are targeting utility-scale fault-tolerant systems between 2028 and 2033. The ~1,200 logical qubit attack threshold (per Google's whitepaper) falls within these roadmap windows.
~6.9 million BTC (25-30% of total supply) in quantum-vulnerable addresses, including Satoshi's estimated ~1 million BTC in P2PK addresses permanently exposed since 2009
~1.7 million BTC specifically in P2PK locking scripts - confirmed by Google's whitepaper
~$470 billion at current prices sitting in address types where the public key is already on-chain with no way to un-expose it - regardless of any future protocol upgrade
Even the most careful holders are exposed during the ~10-minute mempool window each time they send a transaction. Google's whitepaper estimates ~41% theft probability for a Bitcoin on-spend attack
A quantum attacker could steal and dump millions of dormant coins simultaneously - crashing the market independently of any protocol upgrade or migration debate. Google's whitepaper raises the possibility of governments needing to create "digital salvage" legal frameworks to prevent this wealth from falling to criminals or adversarial state actors.
Crypto Defence Status
Bitcoin - BIP-360 merged into official BIP repository (Feb 11, 2026); BTQ testnet live with first working P2MR implementation (Mar 19, 2026); mainnet activation not scheduled 🟡 Early stage
Ethereum - Glamsterdam/Hegota upgrades discussed, weekly testnets running; five distinct attack vectors identified by Google whitepaper ❌ Not deployed to mainnet
Five papers now define the attack landscape. The Google Quantum AI whitepaper (March 30, 2026) achieves 1,200-1,450 logical qubits in ~18-23 minutes on a superconducting machine with under 500,000 physical qubits - validated by a zero-knowledge proof. The Oratomic paper (March 31, 2026) demonstrates this can run on ~10,000 physical neutral-atom qubits in roughly 10 days. Both estimates represent dramatic reductions from prior work and fall within current and near-term hardware capabilities.
🔴 Executive Summary - What You Need to Know Right Now
Quantum computers that can steal Bitcoin are no longer a theoretical future problem. They are an engineering problem on a measurable timeline - and the cryptocurrency ecosystem has not started protecting itself.
The five facts every crypto holder needs:
#
Fact
Source
1
~6.9 million BTC (25-30% of total supply) sits in addresses where the public key is already exposed and quantum-stealable
Google Quantum AI / Project Eleven, 2026
2
Google officially warned Q-Day could arrive as early as 2029 and published a whitepaper showing Bitcoin can be attacked in ~9 minutes with fewer than 500,000 physical qubits - a ~20x reduction from prior estimates
Google Quantum AI, March 30, 2026
3
Caltech/Oratomic showed Shor's algorithm can run at cryptographic scale with as few as 10,000 physical qubits using high-rate qLDPC codes on a neutral-atom architecture - 100x below prior estimates for this platform
Cain et al., arXiv:2603.28627, March 31, 2026
4
Four independent research teams on three continents have proven quantum error correction works. Scaling is now an engineering problem, not a physics problem
Nature, February 2026
5
Bitcoin migration is only at testnet stage. BIP-360 was merged into Bitcoin's official BIP repository (Feb 11) and BTQ launched a working testnet (Mar 19), but mainnet activation has no timeline. Ethereum's quantum upgrades are in weekly testnet testing but not deployed
BIP-360.org, BTQ, 2026
What "Harvest Now, Decrypt Later" means for you today:
Adversaries are recording blockchain transactions right now and storing them on cheap hard drives, waiting for a quantum computer powerful enough to crack them. The Federal Reserve confirmed this is happening. Data harvested today cannot be "un-harvested" after a future protocol upgrade. For addresses that have already exposed their public keys - P2PK, reused addresses, Taproot - no future migration can fully protect historical transactions.
Google Quantum AI Publishes Cryptocurrency Whitepaper
Google Quantum AI published a comprehensive whitepaper - "Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities: Resource Estimates and Mitigations" - authored by researchers including Ryan Babbush, Craig Gidney, Hartmut Neven, Justin Drake (Ethereum Foundation), and Dan Boneh (Stanford). This is the most technically authoritative assessment of the quantum threat to cryptocurrency published to date.
The headline numbers: Shor's algorithm for 256-bit ECDLP (secp256k1) can execute with ≤1,200 logical qubits and ≤90 million Toffoli gates, or ≤1,450 logical qubits and ≤70 million Toffoli gates. On a superconducting architecture with 10⁻³ physical error rates and planar connectivity, these circuits require fewer than 500,000 physical qubits - roughly a 20-fold reduction over prior estimates. The attack completes in approximately 18 - 23 minutes. With a "primed" precomputation approach, the post-broadcast window shrinks to ~9 minutes - inside Bitcoin's 10-minute average block time.
Responsible disclosure model: Rather than publishing the actual quantum circuits, Google validated their results using a zero-knowledge (ZK) proof - allowing anyone to cryptographically verify the resource estimates without accessing the attack details.
New attack taxonomy - three types of quantum attack: On-Spend (public key in mempool during ~10-min confirmation window, ~41% theft probability against Bitcoin); At-Rest (public keys already permanently on-chain - P2PK, P2TR, reused addresses); On-Setup (fixed public protocol parameters like KZG trusted setups - Bitcoin immune, but Ethereum DAS, Tornado Cash, Mimblewimble vulnerable).
Ethereum's five quantum attack vectors: Account model (ECDSA, ~20.5M ETH in top 1,000 accounts); Smart contract admins (ECDSA, ~2.5M ETH + ~$200B in stablecoins/RWAs); Smart contract code (ECDSA, alt_bn128, KZG, BLS12-381, ~15M ETH in L2/protocols); Validator keys (BLS signatures, ~37M ETH staked); Data Availability Sampling (KZG commitments, undermines trust in the chain itself).
Dormant assets - the "burn or steal" dilemma: Around 1.7 million BTC is secured by P2PK locking scripts, including Satoshi-era mining rewards. These coins are permanently exposed on-chain and cannot be migrated via any fork. The Bitcoin community faces three protocol options: Do Nothing (accept inevitable theft), Burn (destroy the coins before a quantum attacker can steal them), or Hourglass (a gradual freeze/timeout). The paper argues that public policy may need to create a legal framework for "digital salvage."
Caltech/Oratomic Show Shor's Algorithm Needs Only ~10,000 Physical Qubits
Researchers from Caltech and the startup Oratomic published a paper demonstrating that Shor's algorithm can be executed at cryptographically relevant scales with as few as 10,000 reconfigurable atomic qubits - more than two orders of magnitude below previous estimates for neutral-atom architectures and roughly 100x below the roughly 1 million qubits typically cited for surface-code approaches.
Key numbers: Space-efficient (serial): ~9,739 - 11,033 physical qubits, ~1,000 days ECC-256 runtime. Balanced: ~11,961 - 13,255 physical qubits, ~264 days. Time-efficient (parallel): ~26,000 physical qubits, ~10 days for ECC-256. All runtimes assume 1 ms stabilizer measurement cycle, consistent with near-term neutral-atom hardware.
Why this is a breakthrough: The result exploits high-rate quantum Low-Density Parity-Check (qLDPC) codes with ~30% encoding rates - meaning roughly 1 logical qubit per 3.5 physical qubits. Surface codes achieve only ~4% encoding rates, requiring hundreds of physical qubits per logical qubit.
Neutral-atom hardware status today: 6,100-qubit coherent arrays already demonstrated (Manetsch et al., Nature, 2025). Below-threshold fault-tolerant operation demonstrated on up to 500 qubits (Bluvstein et al., Nature, 2026). The gap between demonstrated capability and the ~10,000-qubit requirement is now one order of magnitude or less.
The Oratomic spin-out: The research team has founded Oratomic (Pasadena, CA) to commercialise the architecture, with the stated goal of building utility-scale fault-tolerant quantum computers before the decade ends.
Interaction with the Google whitepaper: These two papers are complementary and mutually reinforcing. The Google whitepaper provides new, highly optimised logical circuits requiring only 1,200 - 1,450 logical qubits. The Oratomic paper provides a physical architecture requiring only ~10,000 - 26,000 physical qubits. Together, they describe a credible path to a CRQC that is far smaller and closer in time than any prior analysis suggested.
Google Officially Warns Q-Day Could Arrive as Early as 2029
Google published a formal timeline for post-quantum migration, with VP of Security Engineering Heather Adkins and Senior Staff Cryptology Engineer Sophie Schmieg warning that cryptographically relevant quantum computers capable of breaking RSA and elliptic curve cryptography could exist as early as 2029. This is the first time Google has set a public timeline for its own PQC migration.
Google's response: Google has begun a proactive PQC migration, integrating the ML-DSA algorithm into Android 17 to establish a quantum-resistant chain of trust from the OS level. Google has also proposed Merkle Tree Certificates (MTCs) to solve the performance overhead of post-quantum signatures in web PKI.
For Crypto: The world's most widely-used mobile OS and most popular browser are being quantum-hardened on a defined schedule. Bitcoin and Ethereum governance have not agreed on an equivalent plan. The gap is widening by the month.
Quantinuum "Skinny Logic" Achieves Record 2:1 Physical-to-Logical Qubit Ratio
Quantinuum's Skinny Logic initiative, demonstrated on its 98-qubit Helios trapped-ion processor, achieved 48 error-corrected logical qubits from 98 physical qubits - a 2:1 ratio. For comparison, surface codes (the dominant approach) typically require 500:1 to 1,000:1. Logical qubits outperformed their physical counterparts by 10 to 100x.
Why This Matters for Crypto: The Google whitepaper now sets the minimum attack threshold at ~1,200 logical qubits. The Oratomic paper shows this can be achieved with ~10,000-26,000 physical qubits using high-rate qLDPC codes. The Skinny Logic result is a separate approach (trapped-ion + modified surface codes) reaching 2:1, showing that the qubit overhead reduction is occurring across multiple hardware platforms simultaneously.
Google Expands into Neutral-Atom Quantum Computing
Google Quantum AI appointed Dr. Adam Kaufman (JILA Fellow, University of Colorado Boulder) to lead a new neutral-atom quantum computing team - a second hardware modality alongside its superconducting program. Neutral-atom arrays already exist at 10,000 qubits with reconfigurable "any-to-any" connectivity.
Why This Matters: Google's dual-modality strategy directly hedges the fast-clock vs. slow-clock uncertainty outlined in its own whitepaper. Neutral-atom platforms scale efficiently in the "space dimension." Google's cryptocurrency whitepaper notes that slow-clock (neutral-atom/ion-trap) CRQCs will be able to launch at-rest attacks even before on-spend attacks become feasible - and the Oratomic paper published the same week demonstrates this path is more accessible than previously thought.
PsiQuantum Breaks Ground on World's First 1-Million-Qubit Facility
PsiQuantum began construction at the Illinois Quantum and Microelectronics Park in Chicago - the first utility-scale quantum computing construction project in history. The facility is designed for a 1 million-qubit quantum supercomputer, funded with $1 billion from NVIDIA, BlackRock, and state partners.
This is no longer a lab experiment. Industrial-scale quantum infrastructure is being built now. PsiQuantum uses standard semiconductor fabs, giving quantum the same manufacturing economics as classical chips.
BTQ Technologies launched Bitcoin Quantum testnet v0.3.0 on March 19, 2026 - the first working implementation of BIP-360 (Pay-to-Merkle-Root, P2MR), formally merged into Bitcoin's official BIP repository on February 11, 2026. The testnet has 50+ miners, 100,000+ blocks processed, and full wallet tooling.
What BIP-360 actually does - and does not do: BIP-360 is a meaningful first step, but it is critical to understand precisely what it protects and what it leaves completely exposed. The Google Quantum AI whitepaper now standardises two key attack types:
At-Rest attack (the most immediate threat): A quantum attacker has unlimited time to work. They harvest public keys that are already sitting permanently on the blockchain and use a quantum computer to derive the private key and drain the wallet. There is no time pressure. This is the threat that is happening in slow motion right now via Harvest Now, Decrypt Later. Even a slow-clock neutral-atom CRQC (like the Oratomic architecture) can execute this attack.
On-Spend attack (requires a faster quantum computer): When you send Bitcoin, your public key appears briefly in the mempool for roughly 10 minutes before a block confirms it. A quantum attacker would need to crack the key and broadcast a competing transaction within that window. The Google whitepaper estimates a ~41% theft probability against Bitcoin for a fast-clock (superconducting) CRQC operating at ~9 minutes per key derivation.
BIP-360 only addresses At-Rest attacks for new addresses going forward. On-Spend attacks are explicitly left to a future proposal.
How different address types expose public keys: P2PK (2009-2011, Satoshi era) - permanently on-chain from the moment you receive BTC (immediate risk). P2TR/Taproot (2021+) - permanently on-chain from receipt, the address itself encodes a recoverable form of the public key (immediate risk - the Google whitepaper explicitly labels P2TR a "security regression"). P2PKH legacy (1...) - hidden until you spend, then permanently exposed. P2WPKH/SegWit (bc1q) - hidden until you spend, then permanently exposed. Any reused address - once spent from, permanently exposed. P2MR (BIP-360, proposed, bc1z) - never exposed on-chain.
The irony of Taproot: activated in 2021 as Bitcoin's most advanced upgrade for privacy and smart contracts, it inadvertently worsened quantum exposure by encoding a recoverable form of the public key directly in the address.
What BIP-360 (P2MR) changes: Taproot's "key path" spend writes your public key to the blockchain permanently. BIP-360 removes this path entirely, forcing all spends through hash-based script commitments. Your key still appears briefly in the mempool during the ~10-minute confirmation window - BIP-360 does not fix this. Full mempool protection requires a separate future proposal to replace ECDSA/Schnorr with post-quantum signatures (ML-DSA or SLH-DSA).
Governance challenge: BIP-360 has no mainnet activation timeline. For reference, SegWit took ~8.5 years and Taproot ~7.5 years to reach widespread adoption. BIP-360 is forward-looking only: it does nothing for the ~$470 billion already sitting in exposed addresses - all P2PK, all Taproot, all reused addresses, all xpub-derived wallets. Even migrating existing coins to a P2MR address requires a transaction that briefly exposes the current public key in the mempool.
New Paper Reduces ECC Attack to 1,098 Logical Qubits (EUROCRYPT 2026)
A paper by Chevignard, Fouque, and Schrottenloher accepted at EUROCRYPT 2026 (ePrint 2026/280) demonstrates a space-optimised Shor's algorithm requiring only 1,098 logical qubits for 256-bit elliptic curve discrete logarithm - down from the previous minimum of 2,124. The method uses a Residue Number System and Legendre symbol compression to avoid modular inversion, achieving 3.12n + o(n) total qubits for an n-bit curve.
Important trade-off: This qubit-minimised result requires 22 independent runs and approximately 2^38.10 Toffoli gates each - a massively higher gate count than depth-optimised approaches. For early fault-tolerant hardware where logical qubits are the bottleneck, this provides a path to attacking ECC on smaller systems. For hardware where gate count is the bottleneck, Google's ~1,200-1,450 qubit / 18-23 minute approach remains more practical.
Turing Award Goes to Quantum Cryptography Founders for First Time
The ACM A.M. Turing Award - computing's highest honour - was awarded for the first time to quantum science. Charles H. Bennett (IBM Research) and Gilles Brassard (University of Montreal) share the $1 million prize for their foundational work on quantum information science, including the BB84 quantum key distribution protocol (1984) and quantum teleportation (1993).
Bennett and Brassard invented the quantum-safe cryptographic primitives that are now the backbone of post-quantum defence. Brassard himself noted the urgency of "harvest now, decrypt later" attacks at the award announcement.
Raccoon-G - First Post-Quantum Wallet with Full BIP32 HD Derivation
Researchers published the first post-quantum construction to recover full BIP32 hierarchical deterministic (HD) wallet functionality. Standard NIST PQC schemes (ML-DSA) destroy the linearity needed for non-hardened BIP32 derivation. Raccoon-G uses Gaussian-distributed secrets and full unrounded public keys to preserve it, with security proved under standard lattice assumptions. Trade-off: larger keys (~16 KB public key vs. 33 bytes for secp256k1).
Circle (USDC) Releases Q-Day Roadmap for Blockchains
Circle, issuer of USDC, published a detailed quantum preparation roadmap treating the entire blockchain stack as at risk. Key transitions: TLS 1.3 migration to X25519MLKEM768; replace elliptic curve SNARKs with quantum-resistant STARKs. U.S. and EU are expected to mandate PQC for critical infrastructure by 2030.
For Crypto: The first major stablecoin issuer has set a public timeline. 2030 regulatory mandates will compress the entire DeFi ecosystem's migration window.
Intel demonstrated the Heracles processor at ISSCC - a 3nm chip for Fully Homomorphic Encryption (FHE), which processes data without decrypting it. Performance: 1,074-5,547x faster than a 24-core Xeon CPU.
FHE makes quantum-safe, privacy-preserving cloud computing production-ready - enabling encrypted-by-default infrastructure even before Q-Day arrives.
IBM Quantum Simulates Real Magnetic Material - Verified Against Physical Lab Data
IBM and the DOE's Quantum Science Center used a 50-qubit Heron processor to simulate the magnetic crystal KCuF3, with results verified directly against neutron scattering experiments at Oak Ridge National Laboratory. This is the first time a quantum computer's output has been benchmarked against real physical material data rather than a classical computer.
This demonstrates that current "noisy" quantum hardware is already delivering scientifically reliable results at utility scale - before full fault tolerance is achieved. IBM projects fault-tolerant systems by 2029.
Silicon Quantum Processor Achieves Universal Logical Gate Set
Researchers at the Shenzhen International Quantum Academy demonstrated a silicon-based quantum processor executing a universal set of logical gate operations, including T-gates and CNOT operations, using five phosphorus donor nuclear spins in an isotopically purified silicon-28 lattice. Published in Nature Nanotechnology, the result validates error-corrected quantum computing on a platform fully compatible with existing CMOS semiconductor manufacturing.
Major national quantum investments announced: Karnataka, India ($114M for $20B quantum economy by 2035); Australia NRFC ($20M AUD for SQC atomic-scale semiconductor qubits); USA DOE ($37M for National QIS Research Centers); United Kingdom ($100M for Rigetti hardware development plus £2 billion ProQure program); Europe EC (€75M for EURO-3C quantum infrastructure). PsiQuantum's Chicago facility adds $1 billion - the largest single quantum infrastructure investment to date.
Fermilab-MIT Eliminate the Ion Trap Wiring Bottleneck
Fermilab and MIT Lincoln Laboratory demonstrated in-vacuum cryoelectronics for ion traps - mounting control chips directly inside the dilution refrigerator, eliminating the cable scaling problem that previously limited trapped-ion systems to dozens of qubits. This opens a credible path to tens of thousands of electrodes.
UC Santa Barbara Proposes CN Center - Stable Silicon Defect for Quantum Networking
UCSB researchers proposed the CN center silicon defect as a structurally stable telecom-band qubit emitter - solving the fragility problem of T centers caused by hydrogen migration during fabrication. Photonic Inc. is simultaneously exploring deuterium-substituted T centers for improved magnetic field control.
Telecom-band emitters are the foundation of modular quantum architectures that link distributed processors via standard optical fiber.
Niels Bohr Institute - Real-Time Qubit Monitoring During Computation
NBI researchers demonstrated a system that tracks qubit performance fluctuations in real time - down to fractions of a second - enabling dynamic noise correction during long computations. This is a prerequisite for Shor's algorithm, which requires sustained computation over extended periods.
Majorana Replication Controversy (Frolov et al., Science)
A team led by Sergey Frolov published replication studies in Science finding that signals previously interpreted as Majorana qubit signatures could be explained by simpler mechanisms when fuller datasets were analysed. The work underwent two years of peer review.
Context: This is separate from QuTech's February 2026 Nature paper demonstrating successful Majorana qubit readout via quantum capacitance, which remains uncontested. The controversy reinforces the value of diverse hardware strategies rather than undermining topological computing overall.
March 2026 - capped by two major papers published back-to-back on March 30 - 31 - marked a decisive shift from quantum research to quantum urgency. Google Quantum AI published the most comprehensive technical analysis of the cryptocurrency quantum threat ever written, simultaneously revealing a ~20x reduction in physical qubit requirements (to under 500,000) and a 9-minute on-spend attack window. The following day, Caltech/Oratomic showed the same attack is achievable with just 10,000 physical qubits on a neutral-atom architecture - 100x below prior estimates for that platform. Together, these papers collapse two of the main defences quantum sceptics have relied on: that millions of qubits are needed, and that neutral-atom machines are too slow to matter. Error-correction efficiency also took large steps forward with Quantinuum's Skinny Logic result and the EUROCRYPT paper pushing the minimum logical qubit threshold to 1,098. PsiQuantum broke ground on the world's first utility-scale quantum facility, governments committed over $1.5 billion in new quantum investment across five regions, and the Turing Award recognised quantum cryptography for the first time. On the defence side, BIP-360 reached testnet - meaningful progress, but with no mainnet timeline and no protection for the hundreds of billions already sitting in exposed addresses. The hardware is accelerating. The migration is not.