Harvest Now, Decrypt Later: The Blockchain Threat Already Active
TL;DR: Harvest-now-decrypt-later (HNDL) is not a future threat for blockchain: it is an active one. Every signed transaction on Bitcoin, Ethereum, and other classical blockchains is being stored by entities who expect to hold sufficient quantum computing capability within ten to twenty years. The blockchain is uniquely bad for HNDL because the data is public, permanent, and perfectly formatted for later cryptanalysis. This guide covers the evidence for active collection, which assets are highest-risk, and the architectural difference between migration-based defenses and structural immunity.
What HNDL Is and Why Blockchain Is Its Ideal Target
Harvest-now-decrypt-later describes an attack strategy in which an adversary collects encrypted or signed data today, stores it, and decrypts or forges it later when cryptanalytic capability improves. The strategy is rational when the data has long-term value that exceeds the cost of storage and waiting, and when there is a credible path to improved capability. Quantum computing provides exactly that credible path for elliptic curve cryptography.
Blockchain is uniquely well-suited as an HNDL target for reasons that distinguish it from other encrypted data stores. First, blockchain transaction data is public and freely available. No breach is required to obtain it; no insider access, no hacking, no legal process. Any party can download the entire Bitcoin or Ethereum blockchain history at any time, with no authentication. The signed transaction data, including public keys and signatures, is packaged for easy collection.
Second, blockchain data is permanent. Encrypted email from 2010 may have been deleted. Database backups from legacy banking systems may have been overwritten. But Bitcoin blocks from 2009 are preserved in hundreds of thousands of full nodes worldwide and will remain accessible indefinitely. Every signed Bitcoin transaction in history is still available for cryptanalysis.
Third, the data is perfectly formatted for later attack. A signed Bitcoin transaction contains the public key (for P2PK outputs) or reveals it at spending time (for P2PKH outputs), along with the signature. This is precisely the input format needed for Shor's algorithm: a public key and a signed message. There is no need to reverse-engineer the data format or recover additional context; it is all there, in standardized script formats, indexed and searchable.
The NSA's CNSA 2.0 guidance explicitly acknowledges the HNDL threat as a primary motivation for its post-quantum migration timeline. The document does not frame PQC migration as a precaution against a speculative future threat; it frames it as a response to a current adversarial activity that creates obligations for system operators right now.
What Data Nation-State Actors Are Collecting Right Now
The specific blockchain data relevant to HNDL collection falls into three categories, ordered by attack priority. Understanding these categories helps prioritize which assets and which transaction types deserve the most urgent migration attention.
P2PK outputs and early P2PKH spending transactions: These are the highest-priority targets because the public key is already on-chain. No future blockchain interaction is required to obtain the data needed to run Shor's algorithm. For Satoshi-era P2PK outputs holding millions of dollars in early mining rewards, a collector today has everything they need except the quantum hardware. The attack will be executable the day sufficient quantum capability exists. The Coinbase IAB April 2026 report estimated approximately 6.9 million BTC in this category.
High-value wallet address histories: For addresses with significant historical transaction volumes, the signing data from all historical transactions creates a rich dataset for cryptanalytic analysis. Multiple signatures from the same key pair provide more information for lattice-based side channel attacks (not to be confused with Shor's algorithm, but relevant for other post-quantum cryptanalytic scenarios) and allow cross-validation of derived keys.
DeFi interaction histories and smart contract governance signatures: On Ethereum, every interaction with a DeFi protocol is a signing event. The governance keys that control Uniswap, Aave, MakerDAO, and other major protocols have signed thousands of transactions. If a quantum attacker derives the private key corresponding to a multisig governance signer, they potentially control protocol upgrade authority worth billions of dollars. This is qualitatively different from stealing individual wallet funds: a compromised governance key allows an attacker to drain entire protocols.
The evidence for active collection programs is substantial, though necessarily incomplete given classification constraints. The Snowden documents from 2013 revealed that NSA's MUSCULAR program was collecting internet traffic at scale, including encrypted data intended for later processing. The XKEYSCORE system demonstrated the NSA's capability to index and search collected internet traffic. There is no public evidence that these programs specifically target blockchain transaction data, but the capability is demonstrably present and the motivation (financial intelligence, sanctions enforcement, criminal investigation) is clearly there. It would be surprising if the world's most capable SIGINT agencies were NOT collecting blockchain data at scale.
The GCHQ quantum guidance documents, released through Freedom of Information channels, acknowledge that GCHQ expects quantum computing to break RSA and elliptic curve cryptography on a timeline consistent with the IBM roadmap. These documents do not describe current collection programs, but they document the institutional recognition that current cryptographic assets are being collected with future quantum decryption in mind.
The Economics of HNDL: When Does Collected Data Become Valuable?
Understanding the HNDL threat requires thinking about the economics of the attack from the adversary's perspective. Collection costs today are effectively zero for blockchain data: it is freely downloadable. Storage costs for the full Bitcoin blockchain history (roughly 650 GB as of 2026) are negligible at current storage prices. The investment required to run Shor's algorithm at scale, once the necessary quantum hardware exists, is large but not prohibitive for a nation-state or a well-funded private actor. The question is: what is the expected return, and over what time horizon?
For the Satoshi-era P2PK outputs containing roughly 1.1 million BTC (estimated from block reward patterns in the first year of Bitcoin's operation), the return at current prices is approximately 100 billion dollars or more, assuming all those coins remain unmoved until a quantum attacker claims them. That is an expected return that justifies essentially any storage cost and most quantum hardware development costs, for an actor with a ten-to-twenty-year investment horizon.
For DeFi governance key attacks, the expected return is not the historic value of a single wallet but the current value of entire protocol treasuries at the moment of attack. Uniswap's treasury currently holds several billion dollars in assets; Aave, Compound, MakerDAO, and other major protocols hold similar or larger amounts. The sum of DeFi protocol treasury value accessible via compromised governance keys is in the tens of billions of dollars. This represents a return that makes sophisticated HNDL investment highly rational for any actor with plausible quantum computing access in the 2030-2040 window.
The timing of the attack is also strategically relevant. An attacker who waits until a day before quantum computing becomes publicly known to have achieved cryptographic relevance can execute against every vulnerable address simultaneously, creating mass withdrawal events before any defensive migration can occur. The information asymmetry between the first actor with cryptographically relevant quantum computing and the rest of the world is a one-time advantage worth preserving. This creates strong incentives for the first quantum-capable actor to remain covert rather than disclosing their capability.
Which Blockchain Assets Are the Highest-Priority HNDL Targets
Prioritizing the HNDL risk requires thinking about four dimensions: asset value, attack difficulty (based on public key availability and key strength), time sensitivity, and attacker profile. The following categories represent the highest-priority targets in roughly descending order of expected attacker preference.
First: early Bitcoin P2PK outputs. The public key is on-chain, the asset value is extremely high, and the victim cannot be warned or take defensive action without executing a transaction that itself creates a race condition. These are the "free money" category: an attacker who achieves sufficient quantum capability simply generates the private key, signs a transaction, and claims the funds. No social engineering, no zero-day exploit, no insider access required.
Second: high-value exchange cold wallets. Major exchanges hold tens of billions of dollars in cold storage. If an exchange has ever moved funds from a cold storage address, that address's public key is on-chain. Exchange cold wallets that have sent transactions are fully quantum-exposed. Exchanges that operate Proof-of-Reserves with on-chain verification are, paradoxically, creating a rich map of their most valuable quantum-exposed addresses.
Third: DeFi protocol governance signers. The individuals who hold governance multisig keys for major DeFi protocols have typically signed many on-chain transactions. Deriving their private keys from public blockchain data gives an attacker upgrade authority over protocols with multi-billion-dollar TVL. Unlike stealing from individual wallets, compromising governance keys allows an attacker to implement malicious upgrades that drain entire protocols in a single transaction.
Fourth: institutional custodian addresses. Coinbase Custody, BitGo, Anchorage Digital, and similar qualified custodians hold assets for institutional clients. Any custodian address that has been used for withdrawals has its public key on-chain. The asset values are large and the regulatory environment means custodians are unlikely to migrate quickly without specific guidance.
Structural Immunity vs Key Migration: Two Different Defenses
The most important conceptual distinction in quantum threat response is between structural immunity and key migration. They are not interchangeable, and confusing them leads to security plans that address only half the problem.
Key migration means moving assets from quantum-exposed classical addresses to new addresses, either on the same blockchain (moving BTC from an exposed P2PKH address to a fresh one) or to a different blockchain (moving value from Ethereum to a quantum-resistant chain). Key migration reduces current exposure by removing assets from addresses with known public keys. But migration is a snapshot defense: the moment the migrated assets interact with a new address on a classical blockchain, the exposure cycle begins again. Migration to a classical blockchain buys time; it does not provide structural protection.
Structural immunity means the blockchain's architecture makes HNDL collection ineffective by design. There are two ways to achieve structural immunity. The first is never exposing public keys on-chain at all, which requires either hiding public keys behind quantum-resistant hashes (difficult on classical chains without protocol changes) or using signature schemes where the on-chain data cannot be used to recover the private key. The second, more robust approach is ensuring that even if a public key is temporarily visible during a transaction, it is already retired by the time any adversary processes the data, making the collected public key useless.
QuanChain's TADEQS architecture implements the second approach. The SpendAndRotate mechanism ensures that every transaction atomically retires the current key and installs a new one. By the time the transaction is confirmed in a block (seconds to minutes), the public key visible in that transaction is already invalid. An HNDL adversary who collects that transaction data has a public key that controls no funds. Running Shor's algorithm against it produces a private key for a retired account with zero balance.
This is fundamentally different from key migration. Migration moves the vulnerability forward in time: the old address is safe because empty, but the new address accumulates exposure with each transaction. TADEQS eliminates the accumulated exposure entirely: every transaction, no matter how many occur over the life of a wallet, leaves only a retired, worthless public key on-chain. The QuanChain technology documentation covers the full TADEQS specification including how SpendAndRotate interacts with the ML-DSA-87 signing scheme.
HNDL makes the blockchain's permanent, public ledger its own worst enemy against quantum attacks. Every signed transaction stored on-chain is a timestamped cryptographic puzzle waiting for the day quantum hardware can solve it. Structural immunity means the puzzle, when solved, yields nothing of value.
What Organizations Should Do Right Now
For organizations holding significant digital asset value, the practical response to HNDL risk has three tiers, ordered by urgency. The first tier addresses immediate high-value exposure: audit all holdings for P2PK outputs and addresses with prior outgoing transactions, and migrate those assets to fresh addresses in the near term. This eliminates the most immediately actionable HNDL targets.
The second tier addresses ongoing operational security: implement address hygiene practices that minimize public key exposure. Use fresh receive addresses for each transaction, never reuse addresses after spending, and consider how exchange custody exposes addresses through Proof-of-Reserves attestations and withdrawal operations. Establish internal quantum risk monitoring protocols that track the IBM roadmap and NIST migration guidance.
The third tier is architectural: evaluate whether critical long-term value holdings belong on classical blockchains at all. For asset stores with a ten-to-twenty-year horizon, a blockchain designed from the ground up for quantum resistance, with structural immunity rather than migration-based defenses, provides meaningfully stronger guarantees than an ongoing migration posture on a classical chain. The NSA's CNSA 2.0 guidance recommends that national security systems complete post-quantum migration by 2033. Organizations with fiduciary responsibility for long-lived digital assets should treat 2033 as an outer bound, not a target date.
Frequently Asked Questions
Related Guides
Security · 14 min read· Blog
Harvest Now, Decrypt Later: Why the Quantum Threat Is Already Here
Bitcoin Security · 12 min read
Bitcoin Quantum Risk Assessment: Is Your BTC Safe?
Research · 10 min read· Blog
The Qubit Requirement Dropped 200× in Seven Years — Q-Day Is Closer Than Blockchain Was Ready For
Standards · 16 min read
Implementing NIST Post-Quantum Standards: FIPS 204, 205, and 206