Quantum Computers Put $2 Trillion in Crypto on a Migration Clock

More than $2 trillion in crypto sits on cryptography that a sufficiently powerful quantum computer could break, according to a new report from Quantus, a quantum-secure blockchain startup. Three months earlier, Google Quantum AI estimated that fewer than 500,000 physical qubits would be enough to do it, roughly a 20-fold reduction from a 2023 estimate near 9 million.

That collapsing resource estimate is what changed the conversation. The Quantus report, titled The State of Quantum: What Crypto Can’t Afford to Ignore, argues that bridges, oracles, stablecoin administrator keys, and governance multisigs share the same signature math as the wallets, and would fail together rather than one by one.

Why the Timeline Snapped Forward

For years, the standard answer on quantum risk to bitcoin was that the hardware was nowhere close. A 2023 resource estimate for breaking the secp256k1 elliptic curve (the math behind bitcoin and ethereum signatures) required around 9 million physical qubits. No public roadmap was anywhere near that figure.

Then in March, a Google Quantum AI white paper, co-authored with researchers at the Ethereum Foundation and Stanford University, brought the figure under 500,000 physical qubits. The same paper estimated that a first-generation cryptographically relevant quantum computer could solve the elliptic curve discrete logarithm problem for the bitcoin curve in roughly nine minutes once it ran.

Quantus reads that compression as a planning trigger, not an alarm. Its central horizon is 2030, the year the U.S. National Institute of Standards and Technology (NIST, the federal body that sets cryptographic standards) has flagged for deprecating RSA and ECC-256 across federal systems. The Defense Advanced Research Projects Agency is funding work toward a utility-scale quantum machine by 2033.

Error correction is the variable doing the work. Google’s Willow chip, IBM’s roadmap toward fault-tolerant operations, and Quantinuum’s gains in logical-qubit fidelity have each, in their own way, made a useful Shor’s algorithm machine look less like a 2045 question and more like a late-decade one.

Two Trillion Dollars Sitting in Plain Sight

Roughly one million bitcoin sit in Satoshi-era pay-to-public-key (P2PK) addresses whose public keys are already on-chain. Another batch lives in addresses where the key was revealed the first time a transaction was signed. Industry estimates put around 33% of bitcoin’s circulating supply already exposed to a sufficiently advanced quantum attack, before any new spend reveals additional keys.

Layer on top the dead-coin overhang. Quantus estimates between 2.3 million and 3.7 million bitcoin are permanently inaccessible because owners no longer hold the private keys. Those coins cannot be moved to quantum-safe addresses, so the network would have to pick between leaving them exposed for any future attacker to claim, freezing them, or inventing a mechanism that has no clean precedent.

The migration economics turn hostile in parallel. A standard Elliptic Curve Digital Signature Algorithm (ECDSA) payload, with the embedded public key, fits in about 97 bytes. The same transaction signed with ML-DSA-87 (Module-Lattice Digital Signature Algorithm, the post-quantum standard NIST codified as FIPS 204) needs roughly 7,187 bytes.

A 74-fold expansion in signature data, on a network already pricing block space at a premium, is the engineering problem BIP 360 was written to begin solving. The same arithmetic hits ethereum gas markets, layer-2 settlement budgets, and every chain whose validator set has to verify every signature.

Where DeFi’s Plumbing Cracks First

Individual self-custody wallets are not the most exposed surface. The infrastructure layer of decentralized finance signs with the same elliptic curve scheme as bitcoin and ethereum, and one cryptanalytic break would land on all of it at once. Quantus lists the failure points explicitly:

• Bridge validator keys. Cross-chain bridges that have lost more than $2 billion to classical exploits already sit on multi-signature sets whose keys are on-chain by design.
• Stablecoin administrator keys. The mint and burn authority for major dollar-backed stablecoins relies on classical signature schemes. A break compromises peg integrity, not a single user.
• Oracle networks. Price feeds that liquidate billions in collateral every day are authenticated by validator keys with the same exposure profile.
• Multisig custody. Institutional treasury setups built on Gnosis Safe and comparable contracts are co-signed by classical keys.
• Governance contracts. Protocol upgrades for major DeFi systems are authorized through on-chain signatures, meaning quantum-broken signers could push malicious upgrades through ostensibly democratic channels.

Lana Ivina of CircuitLabs noted in response to the report that new quantum-resistant chains may not even be the user preference. “Many users may prefer to remain on a chain with a smaller but well-understood quantum attack surface, especially if that chain has a credible path toward upgrades, hard forks, or user-level migration schemes,” she said.

That preference is rational if migration is feasible. It is dangerous if the protocol cannot coordinate the move in time, because every dollar exposed in DeFi infrastructure is collateral for a lending market, a derivatives book, or an automated market maker stacked above it.

BIP 360 and the Migration That Wasn’t

Bitcoin’s leading proposal is BIP 360, the Pay-to-Merkle-Root specification, which was merged into the Bitcoin Core BIP repository earlier this year. It introduces a new address format starting with “bc1r” that supports post-quantum signature schemes including ML-DSA, SLH-DSA, and Falcon, and removes the quantum-vulnerable keypath spend used in current Taproot outputs.

Merging the proposal is not the same as activating it. BIP 360 still lacks consensus on the signature scheme to bless, the block-weight discount post-quantum signatures should receive, hardware-wallet support, and a deadline for legacy holders. Quantus argues that without an explicit cutoff, the same race-condition problem reappears: rational holders wait, the calendar shrinks, and the migration is forced under stress.

The only practical solution is to set a hard deadline for account owners to migrate their tokens to quantum-safe accounts, after which all tokens held in vulnerable accounts will be permanently frozen.

Auryn Macmillan, co-founder of Gnosis Guild, made that argument in response to the Quantus report. It is the cleanest answer on offer and the most politically combustible, because it forces the network to act on coins whose owners are presumed lost, including roughly one million bitcoin associated with the network’s pseudonymous creator.

Internet Infrastructure Moved Before Crypto Did

Traditional internet infrastructure has been quietly migrating for two years. Google and Cloudflare publicly committed to full post-quantum deployment by 2029. Signal rolled out post-quantum key exchange across its messenger in early 2024. Cloudflare reports post-quantum encryption now protects a majority of the web traffic it serves.

Apple last week published its iPhone and Mac post-quantum cryptography source code on GitHub with formal mathematical proofs, a move designed to let outside auditors verify the implementations align with NIST’s FIPS 203 and FIPS 204 standards. None of those companies needed user consent, a hard fork, or a governance vote to ship.

Crypto cannot move that quietly. Wallet makers, exchanges, custodians, validators, miners, and governance bodies all need to coordinate, often against their own short-term incentives. The federally referenced “harvest now, decrypt later” risk applies more sharply to blockchains than to TLS traffic, because a Federal Reserve working paper notes that distributed ledgers expose entire transaction histories permanently, with no option to delete or retroactively re-encrypt the record.

That asymmetry is the part of the report most outlets glossed. Centralized services migrate users without them noticing. Blockchains require every user to migrate themselves, on a schedule the protocol can only suggest.

The Coordination Problem No Protocol Can Patch

Christopher Smith, chief executive officer of Quantus, framed the core issue bluntly in the report. “Crypto does not get a clean warning bell before Q-Day,” he said. “If the industry waits until the threat is obvious, users will be asked to move value under pressure.”

His firm has a market interest in that argument. Quantus is building a Layer 1 blockchain that uses ML-DSA-87 from genesis, and a “Great Quantum Filter” framing benefits any chain positioned to inherit capital that flees vulnerable legacy networks. The report acknowledges as much. The data underneath the framing, however, is sourced from NIST, whose post-quantum standards page sets 2030 as the deprecation target, and from peer-reviewed quantum research, not from marketing.

What the next eighteen months actually decide is governance bandwidth. If the bitcoin and ethereum core developer communities formalize an activation path for post-quantum signatures, BIP 360 turns into a deployable upgrade and the network gains roughly five years of runway before Q-Day estimates start clustering. If they do not, the migration debate runs into a hardware curve that no longer cooperates, and the largest holders will start front-running it through self-custody changes that fragment liquidity.

The signature math is settled. The standards exist. Whether crypto can coordinate before quantum hardware finishes its current acceleration is now the only question that matters, and the answer is being written in commit logs, not in white papers.

Disclaimer: This article is for informational purposes only and does not constitute investment, security, or technology advice. Quantum risk to cryptographic systems is an evolving area; readers concerned about exposure to digital assets or critical infrastructure should consult qualified cryptographic and financial professionals. Figures and timelines are accurate as of publication on May 29, 2026.