For most of Bitcoin’s history, the threat of quantum computers breaking its cryptography was a distant worry. In 2026, that has changed. On February 11, a proposal called BIP-360 was merged into Bitcoin’s official repository. It introduces the network’s first quantum-resistant address type. Two months later, BIP-361 laid out a far more dramatic plan: to migrate, and potentially freeze, roughly 6.5 to 6.9 million Bitcoin — about a third of all supply — that sit in addresses vulnerable to a future quantum attack. This includes an estimated 1.7 million coins in ancient addresses widely believed to belong to Satoshi Nakamoto.

The urgency comes from new research. In early 2026, Google estimated that breaking Bitcoin’s elliptic-curve signatures might require far fewer quantum resources than thought. A researcher also broke a small elliptic-curve key on real quantum hardware. Bitcoin is not in danger today, but its developers have decided the clock has started.

The actual threat

To understand the solution, you first have to understand exactly what quantum computers threaten in Bitcoin. The popular framing is mostly wrong. The most common misconception is that quantum computers threaten Bitcoin mining. They do not, at least not in any practical timeframe. Mining relies on SHA-256 hashing, and attacking that would require energy approaching the power output of a star.

The real vulnerability is in transaction signing, which uses elliptic-curve cryptography like ECDSA and Schnorr. A sufficiently powerful quantum computer running Shor’s algorithm could derive a private key from an exposed public key, seizing the coins. The critical detail is the word “exposed.” A public key is only vulnerable once revealed on the blockchain. This happens when an address sends a transaction, for ancient Pay-to-Public-Key outputs, and in certain Taproot spends.

Project Eleven estimates roughly 6.9 million Bitcoin sit in addresses where the public key is already exposed. That includes the estimated 1.7 million coins in ancient P2PK addresses, some believed to be Satoshi’s. Protecting them, or deciding what to do, is what the new proposals address.

Why now: the accelerating timeline

The question is “when,” and the reason Bitcoin’s developers moved in 2026 is that the timeline appears to be accelerating. Google’s research suggested breaking 256-bit elliptic-curve cryptography might require fewer than 1,200 logical qubits and under 500,000 physical qubits. That was lower than earlier projections. In April 2026, a researcher broke a 15-bit elliptic-curve key on quantum hardware. A 15-bit key is trivially small, but the demonstration represented a 512-fold improvement over a result from September 2025.

A Nobel Prize-winning physicist warned Bitcoin could be an early target. A panel of six cryptographers concluded a cryptographically-relevant quantum computer “will eventually be built,” and migration must begin now. Google set its own migration target for 2029. The consensus emerged that work must begin while there is time.

What BIP-360 does

BIP-360 introduces a new output type called Pay-to-Quantum-Resistant-Hash (P2QRH). It works almost like existing Taproot outputs but removes the element a quantum computer could exploit. Spending uses post-quantum signature schemes like ML-DSA, based on NIST-approved algorithms. New addresses begin with “bc1r.” Legacy nodes treat the new outputs as “anyone-can-spend,” so the upgrade rolls out as a soft fork. This allows gradual adoption.

There is a real cost. Post-quantum signatures are much larger — some up to 8 kilobytes, far larger than current signatures. This could drive fees higher unless miners give witness discounts. The central trade-off is clear: quantum resistance comes at the price of efficiency.

The hard part: BIP-361 and the vulnerable coins

BIP-361 proposes a mechanism to handle exposed coins. The core idea is to set a deadline for holders of vulnerable coins to migrate them to quantum-resistant addresses. After that, the network would stop honoring spends from old signature types. This prevents a future attacker from sweeping exposed coins.

The agonizing problem is the coins that cannot migrate. An estimated 1.7 million Bitcoin sit in ancient addresses, including roughly a million believed to be Satoshi’s. These cannot be moved because no one with the keys is around. If BIP-361’s signature sunset takes effect, these coins would be frozen, permanently unspendable.

This pits two principles against each other: immutability versus security. Freezing coins violates property-rights absolutism many Bitcoiners hold sacred. Supporters argue doing nothing guarantees those coins will eventually be stolen. There is no clean answer.

The debate over how to do it

Beyond the freeze question, there is active technical debate. Some argue for keeping Taproot’s structure and adding a hidden post-quantum fallback. Others want to upgrade signature schemes directly using hash-based schemes like SLH-DSA. The existence of multiple approaches means Bitcoin’s quantum defense is still being designed. The debate will unfold over years.

How Bitcoin compares

Ethereum has taken a more aggressive approach with Vitalik Buterin’s roadmap targeting quantum resistance across multiple layers. Ripple’s XRP Ledger has concrete plans for 2028. Hedera already uses hash-based cryptography. Bitcoin’s challenge is harder due to its enormous exposed legacy supply and consensus-driven governance. The networks that can quantum-proof quickly are generally younger or more centralized.

What it means for holders

The first point is that there is no immediate danger. No quantum computer capable of breaking Bitcoin exists today. Holders do not need to do anything urgent. The second point is that holders can take a simple step: when quantum-resistant addresses become available through BIP-360, plan to move coins to new “bc1r” addresses in due course.

The deeper significance is what this reveals about Bitcoin’s adaptability. The network works as intended: developers identified a long-term threat, proposed solutions years in advance, and started the consensus-driven process. The most contentious question — what to do about lost coins, including Satoshi’s — remains unresolved. For now, the takeaway is calm awareness: the threat is real but distant, the response has begun, and the hardest choices are still ahead.