Dr. Sarah ChenWhy Satoshi's Bitcoin Is the Highest-Stakes Quantum Target
Approximately 1.1 million Bitcoin sit unmoved in addresses linked to Satoshi Nakamoto. These coins were mined in Bitcoin's earliest blocks, between January 2009 and roughly mid-2010. They have never been spent. Most analysts treat them as permanently lost or intentionally dormant.
But there is a specific technical reason these coins are more vulnerable to quantum attack than any other Bitcoin: their public keys are already fully visible on the blockchain. A sufficiently powerful quantum computer would not need Satoshi to sign a single transaction to steal every one of them.
This is not a theoretical edge case. It is the most concrete near-term quantum risk to Bitcoin's market cap, and it has no clean patch.
What Is the Patoshi Pattern?
Sergio Demian Lerner identified a distinctive nonce pattern in early Bitcoin blocks in 2013. The pattern, now called the Patoshi pattern, appears across roughly 22,000 blocks mined between January 2009 and early 2010. Each block contains a 50 BTC coinbase reward. That gives an upper bound of around 1.1 million BTC attributed to a single miner, almost certainly Satoshi.
The Patoshi pattern is visible because the nonce values in affected blocks follow a specific scanning behavior that differs from other miners of that period. Later analysis by Lerner and others refined the estimate, but the 1.1 million BTC figure remains the widely cited number. For context, that is roughly 5.2% of the total 21 million BTC supply.
None of these coins have moved. The addresses are known. The outputs are unspent. And critically, they were created using a specific output type that exposes the full public key on-chain.
What Is P2PK and Why Does It Expose the Public Key?
Pay-to-public-key (P2PK) was Bitcoin's original output format. In a P2PK output, the locking script contains the full uncompressed 65-byte public key directly. Anyone looking at the Bitcoin blockchain can read it.
Compare this to the format that replaced it: pay-to-public-key-hash (P2PKH). In P2PKH, the locking script contains only a hash of the public key (specifically, RIPEMD-160 applied to SHA-256 of the key). The actual public key is not revealed until the coins are spent, at which point it appears in the unlocking script alongside the signature.
This distinction matters enormously for quantum security. A quantum computer running Shor's algorithm can derive a private key from a known public key. If the public key is on-chain and readable right now, a quantum attacker does not need to wait for the owner to spend. They can compute the private key at their leisure, generate a valid signature, and broadcast a transaction to any address they control.
Every Patoshi-pattern block from 2009 used P2PK outputs. The full public keys for Satoshi's estimated 1.1 million BTC are already on-chain and have been since the blocks were mined.
How Many Qubits Would an Attacker Actually Need?
Breaking a 256-bit elliptic curve key with Shor's algorithm requires a fault-tolerant quantum computer. Current estimates from academic research place the threshold at roughly 2,000 to 4,000 logical qubits, depending on the circuit depth and error correction assumptions used. In terms of physical qubits, accounting for current error rates, that translates to millions of physical qubits with today's hardware architectures.
No machine close to that threshold exists today. IBM's current roadmap targets 100,000 physical qubits by the late 2020s, but physical qubit count alone does not translate directly to logical qubit capability. The gap between physical and logical qubits depends on error rates, and current rates remain too high for the required circuit depth.
However, the timeline is not static. Improvements in error correction, qubit coherence times, and new hardware architectures could compress the timeline significantly. The specific qubit requirements to break Bitcoin remain an active research question, with new estimates appearing regularly.
For P2PK outputs, none of this requires a race against time during a transaction window. The attacker simply needs to reach the threshold. Then they can act.
The Market Impact of 1.1 Million BTC Hitting the Mempool
If a quantum attacker successfully derived Satoshi's private keys and broadcast transactions moving the full 1.1 million BTC, the market impact would be severe and immediate.
At a Bitcoin price of $100,000, those coins represent $110 billion in value. Selling even a fraction of that amount into open markets would cause massive downward price pressure. The mempool signal alone, the broadcast of transactions moving coins that have not moved since 2009, would likely trigger widespread panic selling before any coins were exchanged.
The second-order effects are harder to model. If quantum computers are capable enough to break Bitcoin's cryptography, every elliptic curve-based system is at risk simultaneously. The broader implications go well beyond Satoshi's coins. But those coins are the single largest identifiable tranche of quantum-exposed BTC, and their movement would be the first visible signal of Q-Day arriving for Bitcoin.
The Proposal to Freeze Old P2PK Addresses
Several researchers and Bitcoin community members have proposed a consensus rule change that would freeze all P2PK outputs, making them unspendable after a specified block height. The logic is that Satoshi is almost certainly unable to recover these coins anyway (given the presumption of lost keys or death), and freezing them prevents a quantum attacker from using them to destabilize the market.
This proposal is deeply controversial. Bitcoin's core property is that rules do not change retroactively to confiscate outputs. Freezing P2PK outputs would set a precedent that coins can be made unspendable by social consensus, which many in the Bitcoin community consider a category violation worse than the quantum threat itself.
BIP-360, a proposal focused on post-quantum Bitcoin migration, addresses this problem differently. Rather than freezing existing outputs, BIP-360 proposes a new P2QRH (pay-to-quantum-resistant-hash) output type using the NIST-standardized ML-DSA (Dilithium) signature scheme. The proposal outlines a migration path for users but does not resolve the question of unmigrated P2PK outputs belonging to absent owners.
The freeze debate has no resolution in sight. Bitcoin's governance process requires overwhelming consensus for any rule change, and the community is split between those who see the quantum risk as existential and those who see any confiscation mechanism as equally dangerous.
Why This Is the Most Concrete Near-Term Quantum Risk to Bitcoin
Most discussions of quantum risk focus on the broader threat: a quantum computer breaking all elliptic curve cryptography, forcing a network-wide migration. That threat is real but diffuse. The Satoshi coins problem is different because it is specific, identifiable, and quantifiable right now.
The 1.1 million BTC in Patoshi-pattern blocks are not behind a hash. Their public keys are not protected by an unsolved cryptographic problem that gets harder over time. They are sitting in fully exposed P2PK outputs, and they will remain there unless the network takes the extraordinary step of freezing them or Satoshi somehow appears and moves them.
The harvest-now, decrypt-later attack model applies here too. A sophisticated actor who expects to reach quantum capability within a decade could already be building a complete record of all P2PK outputs and the public keys associated with them. That preparation costs almost nothing. The attack itself just requires reaching the qubit threshold.
For Bitcoin holders, the question is not whether to worry about Satoshi's coins directly. You cannot protect them. The question is whether Bitcoin's value proposition remains intact if the network cannot resolve the governance problem around P2PK outputs before a sufficiently powerful quantum computer exists.
The Coinbase 2026 quantum report estimated that roughly 4 million BTC total are vulnerable due to exposed public keys, with Satoshi's coins representing the single largest identifiable tranche. That report treated P2PK exposure as a near-term material risk, not a speculative future concern.
BIP-360's P2QRH proposal, if adopted, would protect new coins going forward. It would not protect Satoshi's 1.1 million BTC. Those coins will remain in P2PK outputs indefinitely unless the community accepts the freeze precedent, which currently appears unlikely. That is the gap that no technical proposal has closed.
What Bitcoin Holders Should Know
If you hold Bitcoin in modern address formats (P2WPKH or P2TR, commonly called native SegWit or Taproot addresses), your public key is not exposed until you spend. Your quantum risk window is limited to the roughly 10 minutes your transaction spends in the mempool before confirmation. That is a meaningfully different risk profile from P2PK.
If you hold Bitcoin in a legacy P2PKH address that you have never spent from, your public key is similarly protected by its hash. But if you have spent from that address even once, your public key is now permanently on-chain, and the address should be considered equivalent to P2PK for quantum purposes.
The practical steps for reducing your own quantum exposure are available and worth reviewing. Satoshi's coins are a separate problem. But understanding why they are exposed, and what makes P2PK outputs fundamentally different from modern address types, is the foundation of thinking clearly about Bitcoin's quantum vulnerability.
