The Quantum Threat: Google Says Bitcoin Is Easier to Break Than Anyone Thought

Google's Quantum AI team published a whitepaper. Fewer than 500,000 qubits to crack Bitcoin. 6.9 million BTC exposed. Taproot made it worse. The clock just got faster.

The quantum computing threat

On March 31, 2026, Google's Quantum AI team dropped a whitepaper that made the entire crypto industry sit up straight. The paper found that breaking Bitcoin's elliptic curve cryptography could require fewer than 500,000 physical qubits. Previous estimates had put the number in the millions. This was a 20x reduction. The timeline for a practical quantum attack just shortened by years.

The researchers designed two attack models, each needing roughly 1,200 to 1,450 high-quality logical qubits. That is nowhere close to what current quantum computers can do. Google's own Willow chip has 105 qubits. But the gap between 105 and 1,200 is a lot smaller than the gap between 105 and several million. And quantum hardware is scaling fast.

The scariest part was the real-time attack scenario. When someone sends Bitcoin, the public key is briefly revealed on the network. A fast quantum computer could grab that public key, derive the private key using Shor's algorithm, and redirect the funds before miners confirm the block. Bitcoin transactions take about 10 minutes to confirm. Google's model showed an attacker could complete the calculation in roughly 9 minutes. Success rate: 41%.

Think about that. A 41% chance of stealing someone's Bitcoin mid-transaction. Not from an old wallet sitting dormant. From a transaction happening right now.

Then came the Taproot revelation. Bitcoin's 2021 Taproot upgrade was supposed to improve privacy and efficiency. It did both. But it also made public keys visible on the blockchain by default, removing a layer of protection that older address formats provided. From a quantum security perspective, Taproot was a regression. An upgrade designed to make Bitcoin better accidentally made it more vulnerable to an attack that did not exist yet.

The scale of exposure is massive. Approximately 6.9 million Bitcoin have exposed public keys sitting on the blockchain right now. That includes early mining outputs, reused addresses, and post-Taproot wallets. About 1 million of those coins are attributed to Satoshi Nakamoto. At current prices, the total exposure is roughly $440 billion.

This triggered the Satoshi question that CZ raised in a post the same day. If quantum computers ever reach the threshold, Satoshi's coins become a target. If Satoshi moves them, we learn that Satoshi is still alive. If Satoshi does not move them, the community faces a choice: lock those addresses to prevent quantum theft, or let whoever cracks them first take the coins. Both options violate something fundamental about Bitcoin. Locking coins violates immutability. Letting them get stolen violates the entire point of cryptographic security.

The Bitcoin community is not sitting still. BIP-360 proposes a new transaction structure called Pay-to-Merkle-Root that eliminates always-visible public keys. Another proposal called Hourglass would gradually restrict spending from vulnerable addresses, giving owners time to migrate while reducing theft risk. These are real proposals from real developers. But Bitcoin governance moves slowly. Any protocol change requires consensus across a decentralized network where nobody can just flip a switch.

Ethereum is moving faster. Vitalik Buterin published a quantum resistance roadmap in February 2026 identifying four vulnerability areas: validator signatures, data availability, wallet signatures, and zero-knowledge proofs. The Ethereum Foundation launched a dedicated Post-Quantum Security team in January 2026. EIP-8141, targeting the Hegotia hard fork in late 2026, would allow wallets to swap their signature scheme to quantum-resistant algorithms without a full protocol overhaul. Buterin called it Ethereum's most important omnibus upgrade in years.

The institutional response was split. Jefferies portfolio strategist Christopher Wood told investors to dump their 10% Bitcoin allocation and add gold instead. Bitcoin's underperformance against gold in 2026 - down 6.5% while gold surged 55% - seemed to validate the caution. Cathie Wood's Ark Invest pushed back hard, arguing that quantum computing is a long-term risk and that any breakthrough would hit broader internet security before it reaches Bitcoin. Galaxy Digital called it an engineering challenge, not an existential crisis.

Google is preparing its own house. The company set a 2029 deadline to migrate its authentication services to post-quantum cryptography. Android 17 already ships with quantum-resistant signatures. Chrome supports post-quantum key exchange. Google used zero-knowledge proofs to publish the whitepaper's findings without exposing the actual attack methodology. Smart. Prove you can break the lock without publishing the instructions.

CZ summed it up with characteristic bluntness: "It's always easier to encrypt than decrypt. More computing power is always good. Crypto will stay, post quantum." He is probably right. But "probably right" is not the same as "definitely right." And the distance between those two things is measured in qubits.

The quantum threat to Bitcoin went from theoretical to mathematical on March 31, 2026. Nobody is getting hacked tomorrow. But the engineers who build quantum computers and the engineers who build Bitcoin are now in a race. Bitcoin has never lost a race against technology before. Then again, it has never faced an opponent that operates outside classical physics.