6.5M BTC at Risk as Quantum Threat Drops to 500,000 Qubits

BIP-361, proposed in April 2026, calls for freezing 6.5 million BTC held in quantum-vulnerable unspent transaction outputs. That's roughly one-third of Bitcoin's total circulating supply sitting in old wallet formats that expose public keys—making them easy pickings for a sufficiently powerful quantum computer.

The urgency stems from Google Quantum AI research published March 31, 2026, which slashed the qubit threshold needed to break Bitcoin's secp256k1 curve from 9 million down to 500,000 physical qubits. Google's Willow chip currently runs 105 qubits, and IBM's Nighthawk chip has reached 120 qubits, meaning the industry is still years away from the 500,000-qubit mark—but the trajectory is clear.

The 6.5 million BTC figure includes an estimated 1 million coins associated with Satoshi, all stored in formats that reveal public keys once spent. The real attack vector is the 10-minute window between transaction broadcast and block confirmation, when a quantum attacker could intercept a mempool transaction, derive the private key from the exposed public key, and double-spend the funds. Bitcoin Magazine legal analyst Colin Crossman said classical property law gives a blunt answer to the question of whether quantum-derived key recovery constitutes theft: it is theft.

Crossman argued that old coins are not ownerless just because they are old. Abandonment under property law requires both intent to relinquish ownership and some act manifesting that intent—dormancy alone does not meet that standard. The catch is that Bitcoin itself does not enforce title the way courts do—it enforces control. If a quantum computer can derive the private key, the protocol will honor the spend, regardless of who initiated it.

NIST's post-quantum migration roadmap calls for federal systems to deprecate quantum-vulnerable algorithms by 2030 and disallow them entirely by 2035.