HackSatoshi

Modeling the world's largest quantum attack on Bitcoin

When hardware meets the attack threshold
Qubits needed (known)
Qubits needed (projected)
IBM
Google
Quantinuum
IonQ
PsiQuantum
Y-axis: physical qubits (log scale). Attack overhead based on optimized Shor's implementation for secp256k1 with projected error correction improvements. Hardware roadmaps from public vendor announcements. Current best estimate: ~100K physical qubits needed (Jan 2026). Further reductions projected but floor is >10K qubits.
The vulnerability
001 — The Vulnerability

Satoshi's coins are already exposed.

Satoshi Nakamoto mined approximately 1.1 million BTC in Bitcoin's earliest blocks. These coins use Pay-to-Public-Key (P2PK) — a format where the full public key is exposed directly on the blockchain. Unlike modern addresses that hash the public key, P2PK gives a quantum attacker everything they need. The public key is sitting there, on-chain, waiting.

01
Public Key Exposed
P2PK transactions reveal the full secp256k1 public key on-chain. A quantum computer running Shor's algorithm can derive the private key from this.
02
No Migration Possible
Satoshi's coins haven't moved since 2010. Without the private key holder actively migrating funds to a quantum-safe address, these coins remain permanently vulnerable.
03
$96B+ at Stake
At current prices, Satoshi's unmoved coins represent one of the largest single-entity holdings in existence — all secured by pre-quantum cryptography.
04
Not Just Satoshi
An estimated 4+ million BTC across early wallets use P2PK or have reused addresses, exposing their public keys. The total quantum-vulnerable BTC may exceed $350B.
Total Bitcoin currently vulnerable to quantum attack
4,000,000+ BTC
≈ $350,000,000,000+
Includes all P2PK outputs, reused P2PKH addresses with exposed public keys, and early-era wallets with known cryptographic weaknesses. This figure represents roughly 20% of all Bitcoin ever mined.
002 — The Attack Path

Our most resource-efficient quantum attack model.

We have developed what we believe is the most optimized end-to-end quantum attack model targeting Bitcoin's secp256k1 elliptic curve. Our approach minimizes qubit requirements through novel circuit synthesis, aggressive error correction strategies, and algorithmic optimizations to Shor's implementation.

Attack Sequence — Optimized Model v3.2 Theoretical
01
Extract target public key from blockchain
Identify P2PK outputs in Satoshi-era blocks. Public key is directly readable from the scriptPubKey field. No computation required.
02
Initialize quantum register with optimized Shor's circuit
Our proprietary circuit synthesis reduces the required logical qubits for 256-bit ECC from ~2,330 (Roetteler et al.) to an estimated 1,800 through windowed arithmetic and improved modular exponentiation.
03
Apply surface code error correction
At current error rates (~10⁻³), each logical qubit requires ~1,000 physical qubits. Our model projects this overhead dropping to ~50 with anticipated hardware improvements.
04
Execute quantum period finding
Run the quantum Fourier transform to find the period of the elliptic curve discrete logarithm. Estimated runtime: 8 hours on a sufficient-scale machine.
05
Classical post-processing: derive private key
Extract the discrete logarithm from quantum measurements using continued fractions. Reconstruct the 256-bit private key. Sign a transaction moving the funds.
Current Status Live Tracking
Logical qubits required (our model) ~1,800
Physical qubits required (current best estimate) ~100,000
Largest quantum computer today ~1,100 qubits
Gap to threat ~90x
Estimated year of cryptographic relevance 2029–2033

The clock is ticking.

We publish our full attack model, methodology, and real-time tracking openly. Because the only thing more dangerous than quantum risk is pretending it doesn't exist.

Read the Full Paper View on GitHub