The year 2025 marks a turning point in quantum computer development. IBM unveiled its Nighthawk processor with 120 qubits in November, featuring over 20 percent more couplers than its predecessor.
Microsoft introduced the Majorana 1 chip in February. It enables more stable qubits through a novel state of matter. Google's Willow chip improves error correction exponentially. While these advances are impressive, the crucial question remains: When will quantum computers become a real threat to Bitcoin?
The cryptography underlying Bitcoin was developed for classical computers. Quantum computers, however, follow completely different principles and can solve certain mathematical problems exponentially faster. For Bitcoin investors, a realistic assessment of this threat is critical. The Bitcoin community is responding: Several technical improvement proposals were submitted in 2025 to make the network quantum-resistant.
Subscribe to our newsletter
The best articles of the week, directly delivered into your mailbox.
What is a quantum computer?
Quantum computers represent a revolutionary paradigm in information processing that harnesses the principles of quantum mechanics. Unlike classical computers, which use bits as the basic unit of data (either 0 or 1), quantum computers use qubits. A qubit, or "quantum bit," is the fundamental unit of quantum information in quantum computing systems. Through the principles of superposition and entanglement, qubits can exist in multiple states simultaneously, allowing quantum computers to perform complex calculations at unprecedented speeds.
The fundamental motivation behind quantum computers is solving the world's most complex problems, including issues in cryptography, materials science, and simulating complex systems. It's like checking every path in a maze at once, while a regular computer checks them one by one. However, malicious actors could also exploit their immense computing power to disrupt secure systems, such as those in public blockchains and crypto networks.
How quantum computers could attack Bitcoin
Bitcoin uses two cryptographic methods: SHA-256 for mining and ECDSA (Elliptic Curve Digital Signature Algorithm) for digital signatures. While SHA-256 remains nearly unbreakable even for quantum computers, ECDSA represents the actual vulnerability.
To attack ECDSA using Shor's algorithm requires approximately 1,500 to 2,600 logical qubits. That sounds feasible – but the difference between logical and physical qubits is critical. A study by the University of Sussex estimates that a quantum computer would need between 13 and 300 million physical qubits to crack the ECDSA signature in one to eight hours. This corresponds to a ratio of approximately 120,000 physical qubits per logical qubit.
Current systems are far from this level. IBM's Nighthawk processor has 120 qubits. Microsoft's Majorana 1 chip works with topological qubits to improve stability. Google's Willow achieved groundbreaking advances in error correction. Nevertheless, several orders of magnitude of computing power are still missing. IBM's updated roadmap from June 2025 envisions fault-tolerant quantum computers by 2029. IonQ expects 80,000 logical qubits by 2030. Princeton engineers achieved a breakthrough in 2025: Their superconducting qubit reaches coherence times over one millisecond – three times longer than the previous laboratory record.
Why the threat could still be decades away
Several arguments favor calm. First: The technical hurdle remains enormous. A cryptographically relevant quantum computer requires 1,500 to 2,600 logical qubits – corresponding to 13 to 300 million physical qubits. Current systems reach at most a few thousand. Even optimistic roadmaps see fault-tolerant systems no earlier than 2029.
Second: The solutions already exist. NIST published three post-quantum standards in 2024. Bitcoin could implement these algorithms long before quantum computers pose a real danger. According to insiders, the community is working "quietly" on protective measures.
Third: An upgrade would even strengthen Bitcoin. After a migration to quantum-secure addresses, active coins would be protected while lost coins remain frozen. The result: higher security with declining effective supply. Critics like Adam Back and Michael Saylor describe the current debate as "ridiculously early" and a pure "software upgrade problem," respectively.
Why other experts urge action
The counterarguments, however, carry significant weight.
- First: No new physical breakthroughs are needed anymore. Quantum computers are only an – albeit extremely difficult – engineering challenge away from the Bitcoin threat. 2025 was one of the most active years for breakthroughs and investments in the quantum field.
- Second: Implementation takes years. The necessary protective measures could require almost a decade for complete implementation. Since Bitcoin is decentralized, no one can force users to migrate their coins in time.
- Third: Millions of BTC are irrevocably exposed. Even after a successful upgrade, Bitcoin in abandoned addresses remains vulnerable. Estimates suggest that 1.7 million BTC could be stolen by quantum attackers – coins whose owners are no longer active or have lost their keys.
- Fourth: Other industries are already acting. The US plans to phase out classical cryptography by the mid-2030s. Cloudflare, Apple, and even blockchain projects like Solana have already implemented or tested quantum-resistant systems.
When will "Q-Day" arrive?
A global expert survey from 2025 shows a 50 percent probability for cryptographically relevant quantum computers between 2030 and 2035. Some analyses see "Q-Day" – the point at which quantum computers can break current encryption – as possible as early as 2028.
Forecasts vary widely. Conservative estimates see 20 to 40 years, aggressive ones two to eight years. McKinsey predicts Q-Day for RSA encryption in two to ten years. Grayscale, however, describes quantum computers as a "distraction" and emphasizes that relevant systems won't exist before 2030.
Vulnerable Bitcoin: The extent of the risk
The vulnerability is significant. Between 20 and 50 percent of all Bitcoin in circulation – approximately 4 to 10 million BTC worth several hundred billion dollars – are vulnerable through exposed public keys. The largest risk categories: About 2 million BTC are held in outdated P2PK addresses from Bitcoin's early days. Several million more are in reused addresses. The Human Rights Foundation puts the total at over six million BTC in "quantum-vulnerable" account types – including Satoshi Nakamoto's estimated 1.1 million BTC.
Once quantum computers are available, attackers could derive private keys from exposed public keys. Unlike a software bug, this damage cannot be reversed.
Solutions: Post-quantum cryptography and Bitcoin upgrades
The Bitcoin community is working concretely on solutions. NIST published three post-quantum cryptography standards in 2024: ML-DSA (FIPS 204), ML-KEM (FIPS 203), and SLH-DSA (FIPS 205). The US government demands the elimination of ECDSA cryptography by 2035. NIST recommends organizations transition to quantum-resistant algorithms by 2030. In October 2025, BTQ Technologies demonstrated the first quantum-secure Bitcoin implementation. The company completely replaced the vulnerable ECDSA with ML-DSA, offering 128-bit post-quantum security for the $2 trillion Bitcoin market. This proves: Technical implementation is possible.
Several Bitcoin Improvement Proposals were submitted in 2025. BIP 360 ("Pay to Quantum Resistant Hash") by Hunter Beast introduces three new quantum-resistant signature algorithms, including FALCON and CRYSTALS-Dilithium. In April 2025, developer Agustin Cruz presented the QRAMP (Quantum-Resistant Address Migration Protocol), which would enforce a network-wide migration from legacy wallets to quantum-secure addresses – though through a hard fork.
The most influential proposal came in July 2025: "Post Quantum Migration and Legacy Signature Sunset," authored by Jameson Lopp, Christian Papathanasiou, and other experts. The proposal outlines a two-phase plan. First, sending Bitcoin to vulnerable addresses will be stopped. About five years later, these old addresses will be completely locked. The price for security: Post-quantum signatures are significantly larger. This could slow transaction speed by a factor of ten.
No acute danger yet, but action is needed
The answer to the question "Is Bitcoin currently threatened?" is clearly: No. Current quantum computers – including IBM's Nighthawk with 120 qubits and Google's Willow – possess nowhere near the required computing power. Even IBM's roadmap through 2029 and IonQ's goal of 80,000 logical qubits by 2030 are still far below the estimated 1,500 to 2,600 logical qubits (corresponding to 13 to 300 million physical qubits) needed to attack ECDSA. Nevertheless, the time window is shifting. 2025 is considered a critical year to begin migration. A global expert survey shows a 50 percent probability for cryptographically relevant quantum computers between 2030 and 2035. With a market capitalization of around $2 trillion and several million vulnerable BTC, even a five percent risk must be taken seriously.
The most likely risk factor, however, doesn't lie in the quantum hardware itself. Rather, the danger lies in flawed implementation of post-quantum-secure cryptography. Error correction made massive progress in 2025: Error rates dropped to record lows of 0.000015 percent per operation. Researchers at QuEra reduced the overhead for quantum error correction by a factor of 100. The Harvard-MIT-QuEra team operated a system with over 3,000 qubits continuously for two hours.
Bitcoin must prepare – but with caution, not panic. The transition to quantum-resistant algorithms will require trade-offs: lower transaction speed, larger signatures, more complex upgrades. The technical standards exist, implementations have been demonstrated, and several BIP proposals are available. The next five years will be decisive – not because the danger is imminent, but because preparing a global, decentralized network takes time.
