Quantum threat to Bitcoin: What's really happening beyond Michael Saylor's optimism

Michael Saylor, co-founder and CEO of MicroStrategy, made a bold statement on December 16: quantum computers will not destroy Bitcoin but will strengthen it. The claim sounds enticing—migration to post-quantum signatures, freezing at-risk coins, increased security, reduced supply, and ultimately a stronger network. However, when we analyze the technical and on-chain realities, the picture becomes much more complex. We discover that over 1.7 million bitcoins are already in immediate danger, and successful migration is far from guaranteed.

What is a quantum computer and why does it pose a threat to Bitcoin?

Before examining Saylor’s concerns, it’s essential to understand what quantum threat actually entails. Quantum computers, also known as quantum machines, are devices that leverage the principles of quantum mechanics—superposition and entanglement—to process information in a fundamentally different way than classical computers. This quantum power isn’t about speeding up all calculations; it’s about accelerating very specific types of problems—particularly those related to factoring numbers and reversing cryptographic hash functions.

Bitcoin secures coins primarily through two mechanisms: proof-of-work based on SHA-256 and digital signatures using ECDSA and Schnorr on the secp256k1 curve. Shor’s algorithm—a quantum algorithm capable of breaking public-key cryptography—poses a direct threat to the latter. When a fault-tolerant quantum computer reaches around 2,000–4,000 logical qubits, it will be able to derive private keys from public keys. Current devices operate many orders of magnitude below this threshold—meaning a realistic threat won’t materialize quickly. Estimates from NIST and industry experts place this window at least a decade into the future.

The security window exists—but margins are tight

Saylor is correct on one point: in theory, there is time to prepare. NIST has already approved quantum-resistant cryptographic standards that Bitcoin will need. The agency published two digital signature standards resistant to quantum attacks: ML-DSA (also known as Dilithium) and SLH-DSA (SPHINCS+), approved as FIPS 204 and 205. A third candidate, FN-DSA (Falcon), is under review for FIPS 206. These schemes could be integrated into Bitcoin via new output types or hybrid signatures combining classical and post-quantum protections.

Bitcoin Optech is currently tracking proposals for aggregating post-quantum signatures and Taproot-based constructions. Performance experiments show that SLH-DSA can operate under loads comparable to the current Bitcoin network. However—and this is a crucial caveat—migration involves hidden costs that Saylor omits. Studies indicate that a realistic migration would entail significant compromises: block capacity could drop by about half because post-quantum signatures are much larger. Verification costs increase. Transaction fees go up. This isn’t a painless upgrade—it’s a trade of security for capacity.

The real threat: 1.7 million BTC already exposed to attackers

This is the core issue Saylor overlooks. His statement that “active coins migrate, lost coins remain frozen” drastically simplifies the blockchain reality. Vulnerability to quantum attacks depends entirely on address type and whether the public key has already been revealed on-chain.

Coins stored in early pay-to-public-key (P2PK) outputs expose the raw public key directly on the chain from day one. Standard P2PKH and SegWit P2WPKH addresses hide the public key behind its hash—until the coins are spent. At that moment, the key becomes visible and vulnerable. New Taproot P2TR outputs encode the public key in the output from the start, putting these UTXOs at risk even before they are spent.

On-chain data analysis, confirmed by Deloitte studies and recent research focused on Bitcoin, reveals a frightening reality: about 25% of all bitcoins are already in outputs with publicly revealed public keys. Estimates suggest around 1.7 million BTC originate from the Satoshi era and are in P2PK outputs, with hundreds of thousands more in modern Taproot outputs with exposed keys. These coins are not “frozen”—they are exposed and waiting for the first attacker with a suitable quantum machine.

Some of these “lost” coins indeed belong to unknown owners and could be stolen. But others belong to inactive wallets, custodial institutions, or individuals who have forgotten their Bitcoin. When the first quantum computer capable of attacks appears, these holders could lose everything—unless migration occurs earlier. This isn’t hypothetical; it’s mathematics and on-chain reality.

Three competing scenarios: Will the supply really decrease?

Saylor claims that “security increases, supply decreases.” That’s pure speculation, not a guarantee. The supply dynamics in a quantum attack world are not automatic—there are at least three competing scenarios, each with different implications for price.

Scenario 1 – “Shrinking through abandonment”: Coins in vulnerable outputs, whose owners never update, are treated as lost or explicitly blacklisted. In this case, the actual circulating supply could decrease. This is a bullish scenario but requires political consensus across the network—a consensus notoriously difficult to achieve in Bitcoin.

Scenario 2 – “Distortion through theft”: Quantum attackers find vulnerable wallets and drain them before owners can migrate. These coins flood the market; circulating supply doesn’t decrease—instead, we see chaotic redistribution. Price effects could be neutral or negative, especially if mass theft is perceived.

Scenario 3 – “Panic before physics”: The mere perception of coming quantum capabilities—even before machines appear—triggers sell-offs, chain splits, or preemptive “forks” to reset vulnerable addresses. Outcomes would be unpredictable.

None of these scenarios guarantees a clean, bullish supply reduction. Each involves political, technical, and economic complications that Saylor ignores. Actual supply could decrease, but it could also be distorted by theft, sale, or internal network conflicts.

Management, politics, and timing: Larger challenges than cryptography

The strongest point of the original article, often overlooked in discussions of quantum threats, concerns Bitcoin governance. Bitcoin has no central authority to enforce a post-quantum migration. A soft fork would require overwhelming consensus among developers, miners, exchanges, and large holders—all simultaneously—before a quantum computer becomes cryptographically significant.

Recent analysis from A16z emphasizes: coordination and timing pose greater risks than cryptography itself. Bitcoin has operated for over 15 years through consensus, but also through impasses and controversies (see: block size wars). Post-quantum migration will be even more complex—combining technical consensus with economic incentives and geopolitical resilience. If the network waits too long, some coins will be stolen. If it tries to migrate too quickly, it could get stuck in disputes over special rules for old addresses.

Additionally, there’s a lesser-discussed risk: “sign-and-steal” in the mempool. When a transaction spending coins from an address with a revealed key is broadcast, the public key is exposed while waiting for confirmation. A quantum-aware attacker monitoring the mempool could quickly recover the private key and race to outbid with higher fees. This doesn’t require a fully quantum-resistant computer—only speed and network observation.

What do the math and data actually show?

Mathematically, Bitcoin won’t automatically collapse overnight. There’s a window—perhaps a decade or more—during which the network can conduct a careful post-quantum migration. NIST and Bitcoin Optech are already working on solutions. SHA-256 proof-of-work is relatively resistant because Grover’s algorithm offers only quadratic speedup—compensated by increasing parameters.

However, on-chain data also clearly shows: about 25% of all bitcoins are already in outputs with publicly revealed keys, and 1.7 million BTC are in vulnerable addresses from the Satoshi era. This supply isn’t “frozen.” It’s waiting.

Saylor is correct that Bitcoin could emerge from quantum attack periods stronger—but only if management cooperates, owners migrate in time, and attackers never exploit the delay. It’s not guaranteed. It’s a bet on political coordination in a network that lacks central authority.

Will Bitcoin strengthen? It depends less on the timeline of quantum computers and more on whether developers and large holders act early, coordinate migration, and avoid panic or mass theft. Saylor’s confidence relies on the assumption that the network can undertake a difficult, costly, and politically complex upgrade before physics catch up. Mathematics supports his optimism—but the reality of Bitcoin governance raises significant questions.