tech

Bitcoin Q-Day: €400B Transferable — Who's Ready, Who Sleeps

Of 19.8M bitcoins, ~4M are already quantum-vulnerable. At €100k per BTC, that's €400B transferable without authorization on Q-Day. Who's ready, who sleeps.

7 min

Bitcoin Q-Day: €400 Billion Transferable — Who's Ready, Who Sleeps

If you read my previous essay on the cryptographic Q-Day, you know that a sufficiently powerful quantum computer will break the ECDSA and RSA algorithms by 2029-2032. Bitcoin uses ECDSA. So the question is no longer whether Bitcoin will be vulnerable, but who is doing what about it today.

This article zooms in on Bitcoin specifically — because it's the most exposed blockchain, by its size, its institutional inertia, and the volume of funds already compromised without anyone talking about it.

The raw numbers

Of the 19.8 million bitcoins currently in circulation (out of the 21M cap), roughly 4 million are immediately vulnerable to a quantum attacker. Why?

Because their public key has already been revealed on-chain. Concretely, these bitcoins sit in:

  • P2PK addresses (Pay-to-Public-Key, the original 2009-2011 format) — ~1.7M BTC, most of it in wallets attributed to Satoshi Nakamoto
  • Reused P2PKH addresses (Pay-to-Public-Key-Hash) whose public key was revealed during an outgoing transaction — ~2.3M BTC
  • Various poorly-hygiened legacy addresses

At €100,000 per bitcoin (average price Q1 2026), that represents €400 billion directly transferable by an attacker with a capable quantum computer. No hacker to bribe. No backdoor. Just mathematics applied to public keys that have been accessible to everyone for 15 years.

The remaining bitcoins (~15.8M BTC in P2WPKH/Taproot addresses with an unrevealed public key) are temporarily protected. They become vulnerable the moment their owner moves them — the very act of spending reveals the public key on-chain.

The political problem before the technical one

The technical question has an answer: migrate to post-quantum signatures (CRYSTALS-Dilithium, SPHINCS+, Falcon, among the algorithms standardized by NIST in 2024). It's doable. It's tested. It exists in production libraries.

The problem is that Bitcoin has no central authority. Migrating the protocol requires either a soft fork (backward-compatible, simpler but limited) or a hard fork (a clean break, full deployment, requiring near-universal consensus from miners and nodes).

Coordinating a change of this magnitude on a €2 trillion infrastructure, with no CEO or board, is harder than solving the underlying mathematical problem. Recent history proves it:

  • 2017: the block-size debate (SegWit vs Bitcoin Cash) split the community for 2 years
  • 2021: Taproot, though technically consensual, took 4 years to deploy
  • 2024-2026: BIP-360 discussions (a proposal for post-quantum addresses) inch forward despite the urgency

The BIP-360 proposal and its limits

BIP-360, formalized in late 2024 by developer Hunter Beast, proposes a new Bitcoin address format called P2QRH (Pay-to-Quantum-Resistant-Hash). The idea:

  1. Create a new address "envelope" compatible with post-quantum signatures
  2. Soft fork (no mandatory break)
  3. Voluntary migration — each BTC holder chooses when to migrate

On paper, elegant. In practice, three massive problems:

Problem 1 — Transaction cost. A SPHINCS+ signature weighs ~8 KB versus 71 bytes for an ECDSA signature. That's ~110x more on-chain data. On a congested network, it's unsustainable.

Problem 2 — Lost bitcoins. An estimated 3 to 4 million bitcoins are permanently lost (missing keys, deceased owners without inheritance, discarded hard drives). These funds can never migrate to post-quantum. On Q-Day, they become recoverable by any quantum attacker — including the entire mythology of Satoshi's 2009 wallets.

Problem 3 — The timeline. If a capable quantum computer arrives in 2029, and a Bitcoin migration takes 4-5 years (realistic given Taproot), it should have started in 2024-2025. Yet BIP-360 has not even entered the formal activation process. The window is closing.

Who's preparing (and doing what)

| Player | Public stance | Concrete action | Real level | |---|---|---|---| | Bitcoin Core Foundation | "Monitoring NIST progress" | BIP-360 discussions | 🟡 Lukewarm | | MicroStrategy (Strategy) | "Not our immediate problem" | None | 🔴 Asleep | | Coinbase (custodian) | "Commitment to migrate custody funds" | Internal migration plan 2027-2030 | 🟢 Prepared | | Galaxy Digital | "Quantum risk included in our risk models" | Internal research, not public | 🟢 Prepared | | BlackRock (BTC ETF) | Silence | None | 🔴 Asleep | | MARA / CleanSpark (miners) | Not their problem (rewards, not signatures) | None | ⚫ Out of scope | | El Salvador (national treasury) | No official comment | None | 🔴 Asleep | | NSA / NIST (US research) | Anticipating since 2016 | NIST PQC standardization FIPS 203-204-205 published 2024 | 🟢 Ahead |

The divide is clear: sophisticated custodians (Coinbase, Galaxy) anticipate because they have measurable fiduciary responsibility and risk departments that run the numbers. Passive institutional holders (ETFs, corporate treasuries) defer the problem to "later" or "someone else."

The average retail holder simply isn't aware. Coinbase survey, Q4 2025: fewer than 4% of bitcoin holders have heard of Q-Day.

The Q-Day scenario (risk model)

Here's how a Sunday in October 2030 could unfold if nothing moves before then:

T+0: Public announcement (Google, IBM, or a state actor) of a quantum computer with 4,000+ stable logical qubits — Shor's algorithm capability on ECDSA-256 confirmed.

T+12h: The first automated bots sweep the blockchain for P2PK and P2PKH addresses with exposed public keys. Satoshi's wallets fall first (~1M BTC, ~€100B).

T+24h: Public announcement of an emergency hard-fork attempt. Heated debate on Bitcoin Core dev forums.

T+72h: Bitcoin price in free fall (-40% to -60%). Coinbase suspends withdrawals. Binance locks accounts. The US Treasury requests an emergency meeting with regulated exchanges.

T+1 week: Either consensus is reached for a PQC hard fork, or a permanent split between "legacy" Bitcoin (90% of holders asleep) and "PQC" Bitcoin (10% of assets survive).

This scenario isn't doom-mongering. It's the median scenario estimated by the risk departments at Galaxy Digital and Fidelity Digital Assets. The optimistic scenario: migration started in 2027, 60% of assets secured before 2030. The pessimistic scenario: no migration, total loss of confidence, Bitcoin reverts to a niche asset at $5,000.

What a holder can do today

If you hold bitcoin, here's what serious risk departments recommend:

  1. Never reuse an address. Each Bitcoin address should be used only once (both receiving AND sending). This keeps your public key unrevealed.
  2. Migrate to Taproot (P2TR) if your funds sit on legacy formats. Taproot doesn't solve Q-Day but reduces the current attack surface.
  3. Watch BIP-360 and migrate to P2QRH as soon as the format is activated, without waiting for your neighbors to do so.
  4. Diversify out of Bitcoin a portion proportional to your perceived quantum risk — 20%, 50% or more depending on your exposure and time horizon.
  5. For institutions: demand a documented, dated, auditable PQC migration plan from your custodian. If Coinbase, Galaxy or Fidelity can't provide that, switch custodians.

Conclusion

Bitcoin is the financial asset most exposed to Q-Day for two reasons:

  1. Its size (€2 trillion) makes it a priority target for any quantum attacker
  2. Its decentralized governance makes migration politically slower than that of a centralized infrastructure (banks, states)

The players who survive Q-Day are the ones who will have migrated 2 to 3 years before the event. The ones asleep today will pay the price of their wait-and-see. It's not a question of belief in the technology — it's a question of cryptographic arithmetic applied to a calendar that is closing.

Will the bitcoin you hold today still be yours in 2032? The answer doesn't depend on the market. It depends on how fast you understand the problem, and on the quality of the post-quantum infrastructure you move it onto.


This article expands on an angle raised in the previous essay Q-Day: The Cryptographic Deadline No One Is Watching. For SMEs and B2B players exposed to cryptography beyond Bitcoin, see also the OmniRealm cybersecurity audit at consulting.omnirealm.tech.