The mainstream narrative around quantum computing and Bitcoin follows a predictable arc: a sufficiently powerful quantum computer doesn’t exist yet, the timeline is uncertain, and we have years — maybe decades — to prepare. That framing is missing the most dangerous part of the threat.
Andrew Gault — founding partner of 7percent Ventures, first investor in Oculus VR (acquired by Meta for $2 billion), and co-founder of Gaikai (acquired by Sony for $380 million) — has been arguing for months that the real quantum risk to Bitcoin is not future-tense. It is present-tense. The attack is already happening. We just won’t see the results until later.
His thesis rests on three letters: HNDL.
Harvest Now, Decrypt Later
HNDL — Harvest Now, Decrypt Later — is the practice of intercepting and archiving encrypted data today, with the intention of decrypting it once sufficiently capable quantum computers exist.
The technique is not theoretical. Intelligence agencies have operated on this doctrine for over a decade. Edward Snowden’s 2013 disclosures revealed NSA programs specifically designed to collect and store encrypted internet traffic for future cryptanalytic processing. Post-2013, the working assumption of every major intelligence services’ cryptography team is that adversaries with advanced collection infrastructure are banking data for eventual quantum decryption.
For most encrypted communications, the stakes of HNDL are serious but bounded: private messages, classified documents, intercepted credentials. For Bitcoin, the stakes are structurally different.
What Gault and others have identified is that the encrypted data stream surrounding Bitcoin’s financial infrastructure — API authentication packets, signed transaction broadcasts, cross-chain bridge attestations, cold storage signing sessions — contains information that, once decrypted retroactively, could enable reconstruction of private keys or unauthorized access to custodial infrastructure.
The attack surface is not just wallets. It is every point where Bitcoin interacts with networked systems.
What the Google Paper Actually Said
On March 30, 2026, Google published a quantum computing research paper that compressed all previous timeline estimates by approximately 20x.
The paper’s key finding: Bitcoin’s ECDSA signatures — the secp256k1 elliptic-curve cryptography underpinning every Bitcoin transaction — could be broken in approximately 9 minutes with fewer than 500,000 physical qubits.
The implications for on-chain security are direct and severe. Bitcoin’s confirmation window is 10 minutes. The Google paper estimates a 41% probability of recovering a private key from a broadcast but unconfirmed transaction before that confirmation window closes. A transaction broadcast to the mempool exposes the public key — and under the Google scenario, a sufficiently capable quantum computer could derive the private key and sign a competing transaction to a different address before the original transaction confirms.
That scenario requires a quantum computer at a scale that does not yet exist in 2026. Current leading systems operate at a few thousand physical qubits with high error rates; 500,000 physical qubits with the error correction architecture Google’s paper assumes is likely years away. But the paper’s significance is not that the attack is imminent — it is that the physics works, and the computational threshold is now quantified.
Previous estimates suggested breaking Bitcoin ECDSA would require millions of qubits and decades of development. Google’s March 2026 paper cut that threshold by more than 90%.
The Exposure Map: 5.6 to 6.9 Million BTC
Not all Bitcoin wallets carry equal quantum risk. The level of exposure depends on address type and whether the public key is permanently visible on-chain.
P2PK (Pay-to-Public-Key) addresses — used in Bitcoin’s earliest blocks, including Satoshi Nakamoto’s mining outputs — permanently expose the public key in the output script. Any address that has broadcast a transaction has also permanently exposed its public key. Both categories are directly vulnerable to quantum key-derivation attacks once sufficient qubit counts are reached.
P2PKH and Taproot addresses that have never broadcast a transaction do not expose the public key at the address level. The full key is only revealed at spend time, during the confirmation window — the same 9-minute vulnerability window the Google paper identified.
Current estimates of quantum-vulnerable Bitcoin holdings:
| Category | Approximate BTC | % of Supply |
|---|---|---|
| P2PK addresses (permanent exposure) | ~2.3M BTC | ~11% |
| Addresses that have broadcast ≥1 tx | ~3.3–4.6M BTC | ~16–22% |
| Total at-risk estimate | 5.6–6.9M BTC | ~27–33% |
At $77,000 per BTC (mid-2026 prices), the upper bound of exposed value exceeds $530 billion.
Within that exposure, the most symbolically significant subset is the approximately 1.1 million BTC attributed to Satoshi Nakamoto’s early mining — the “Patoshi pattern” addresses identified by blockchain researcher Sergio Lerner. These P2PK addresses have never moved a satoshi and permanently expose their public keys. They are the most quantum-vulnerable holdings in Bitcoin’s entire supply, and unlike most wallet owners, their owner (if any) cannot voluntarily migrate them.
The Convergence Problem: Lawsuit + Quantum
The same Patoshi-pattern addresses sit at the center of Noah Doe et al. v. 39,069 Dormant Bitcoin Addresses — the New York lawsuit attempting to claim title to $293 billion in dormant wallets under a lost-property statute. Both the legal and quantum threats converge on the same target: coins that cannot respond.
The convergence is not coincidental. P2PK addresses are uniquely exposed on both fronts:
- Legally: they are identifiable, dormant, and their owner cannot appear in court to defend them
- Cryptographically: their public keys are permanently on-chain, making them primary targets for future quantum key-derivation attacks
Any serious analysis of Bitcoin’s long-term security posture must treat these as overlapping, compounding risks rather than separate issues.
The Protocols: BIP-360 and BIP-361
The Bitcoin development community’s response to quantum risk has produced two significant proposals in 2026.
BIP-360 introduces a new address type — P2MR (Pay-to-Merkle-Root) — that removes public key exposure at the address level. Under BIP-360, public keys are committed via a Merkle hash rather than exposed directly in the output script. This closes the permanent-exposure vulnerability for new addresses. The proposal has undergone multiple rounds of community review and is in active development.
BIP-361, authored by Jameson Lopp and five co-authors in April 2026, takes a more controversial approach. It proposes a 5-year migration window during which Bitcoin holders would be expected to move funds from legacy (quantum-vulnerable) address types to quantum-resistant formats. After the window closes, unmigrated coins would be effectively frozen — spendable only with a valid quantum-resistant proof, or subject to protocol-level restrictions.
BIP-361 is the most contentious proposal in recent Bitcoin development history. The objections are substantive:
- Satoshi’s coins: The proposal would implicitly render 1.1 million BTC permanently inaccessible if the Patoshi addresses cannot migrate — approximately $84 billion at current prices.
- Lost wallets: An estimated 3–4 million BTC are already permanently lost due to lost private keys. A mandatory migration window cannot reach coins whose owners are dead, incapacitated, or unreachable.
- Custodial failures: Any regulated custodian that fails to migrate client holdings within the window faces a compliance catastrophe.
- Precedent: Critics argue that confiscating or freezing coins based on address type, even for security reasons, fundamentally breaks Bitcoin’s “no one can touch your coins” social contract.
Proponents counter that leaving 6.9 million BTC quantum-vulnerable indefinitely creates a systemic risk that could undermine confidence in Bitcoin’s entire supply. The debate is unresolved and will likely define Bitcoin’s development roadmap through 2028.
The Financial System Risk: Citi’s $2-3.3 Trillion Estimate
Gault’s HNDL concern extends beyond Bitcoin wallets to the broader financial infrastructure that Bitcoin and blockchain markets increasingly touch.
A Citi research report published in the first half of 2026 modeled the macroeconomic impact of a successful quantum attack on the Fedwire system — the Federal Reserve’s real-time gross settlement network that clears approximately $4 trillion in transactions daily. Citi’s estimate: a single successful attack on Fedwire using harvested cryptographic material could trigger GDP contraction of $2.0–3.3 trillion, representing 10–17% of annual US GDP.
The attack vector Citi modeled is not a direct breach of quantum-resistant symmetric encryption. It is the compromise of authentication credentials and signing keys that were encrypted under classical asymmetric cryptography — ECDSA or RSA — at the time they were transmitted, and subsequently harvested under an HNDL collection program. The quantum computer does not attack the settlement system in real time. It retroactively decrypts archived auth sessions to reconstruct credentials, then uses those credentials to authorize fraudulent transactions.
The Fedwire scenario illustrates why Gault argues the threat to Bitcoin’s infrastructure — exchanges, custodians, bridge operators, institutional API endpoints — may be as significant as the threat to individual wallets. A custodian whose signing key was harvested in 2024 and decrypted in 2030 does not need to hold quantum-vulnerable P2PK addresses to be compromised.
Project Eleven’s Timeline: Q-Day Before 2033
Project Eleven, a quantum computing research consortium, published a probability analysis in 2026 placing Q-Day — the point at which a quantum computer could break Bitcoin’s ECDSA — as “more likely than not” by 2033.
The analysis is a probability distribution, not a point prediction. The 2033 estimate represents a median scenario; the tail risks are earlier. Under Project Eleven’s model, there is a non-trivial probability of a capable system emerging by 2030, and a small but nonzero probability of a system reaching the threshold by 2028.
The significance of any specific timeline depends heavily on two factors:
- Migration speed: How fast can the Bitcoin ecosystem move to quantum-resistant address types once a credible threat is confirmed?
- HNDL lag: For traffic already harvested, the relevant threshold is not the Q-Day date but the date the decryption occurs — which could be years before the capability is publicly acknowledged.
The HNDL problem inverts the typical security response. In classical security, you defend before you are compromised. Under HNDL, by the time the attack is visible, the collection phase completed years earlier. There is no retroactive defense.
Bitcoin vs. Ethereum: Quantum Readiness
Bitcoin and Ethereum face structurally different quantum exposure profiles in 2026.
Bitcoin has no unified governance mechanism to mandate address migrations. BIP adoption is voluntary and consensus-driven; even a BIP with overwhelming developer support takes years to implement and has no enforcement mechanism for legacy holders. Bitcoin’s quantum response is a coordination problem at the hardest possible scale.
Ethereum has demonstrated a faster upgrade cadence through its beacon chain and EIP process. Ethereum’s Vitalik Buterin published a technical roadmap in early 2026 for a potential emergency hard fork to implement post-quantum signature schemes, estimating that Ethereum could execute such a migration in 12–18 months from a decision to proceed. The EIP process allows for mandatory protocol-level changes in a way Bitcoin’s conservative BIP model does not.
Neither chain has yet committed to a quantum migration timeline. But Ethereum’s governance structure arguably gives it faster response options if the threat materializes rapidly.
What Holders Need to Know Now
The practical implications for different types of Bitcoin holders vary significantly.
Self-custody holders with modern wallets: If you have never broadcast a transaction from an address (it has never appeared in any input script), your public key is not currently exposed on-chain. The risk is limited to the spend-window vulnerability — the ~10 minutes between broadcast and confirmation. At current quantum computing capabilities, this risk is effectively zero. At Google’s projected threshold, it becomes real.
Holders using P2PK addresses or any address that has transacted: Your public key is permanently on-chain. The risk is the offline quantum key-derivation attack — no time window, no urgency, solvable once qubits reach the relevant threshold. Migration to P2PKH or Taproot addresses would reduce but not eliminate risk.
Holders using centralized custodians or exchanges: The HNDL risk is concentrated here. You are not holding keys — your custodian is. Their API auth sessions, signing infrastructure, and internal key management systems have generated encrypted traffic over years. Whether that traffic has been harvested under HNDL programs is unknowable. The relevant question for institutional holders is whether their custodian has begun auditing and rotating keys generated under classical asymmetric cryptography.
Long-term cold storage holders: The BIP-361 debate is directly relevant to you. If the proposal or any like it moves toward adoption, coins in legacy address formats that remain unmigrated after a decision window could face protocol-level restrictions. Following the BIP-361 debate closely is a reasonable precaution even for conservative holders.
The Coordination Failure Risk
The most underappreciated aspect of Gault’s argument is not the technical vulnerability — it is the coordination failure that could prevent an adequate response.
Bitcoin’s credibility rests on properties that also make emergency response difficult: decentralization, censorship resistance, and voluntary governance. A migration to quantum-resistant cryptography requires:
- A finalized technical standard (BIP-360 is in progress)
- Wallet software updates across thousands of implementations
- Voluntary user action to move funds to new address types
- Exchange and custodian migrations
- Miner activation of any network protocol changes
Each step requires coordination across a global, adversarial ecosystem with no central coordinator. A comparable migration — the SegWit upgrade — took over two years from finalization to broad adoption. A quantum migration, which is technically more complex and more contentious (due to BIP-361’s frozen-coin implications), would likely take longer.
If Q-Day arrives faster than the Project Eleven median — if the 2028 tail scenario materializes — that coordination timeline may not be sufficient.
Gault’s message to Bitcoin investors is not to panic. It is to stop treating quantum risk as a future problem while the conditions for the attack are being established in the present. The harvest is already underway. The decryption is a matter of when, not if.
For related analysis on the legal and regulatory threats converging on Bitcoin’s long-dormant wallets, see our coverage of the Satoshi lost-property lawsuit and our Bitcoin topic hub.