TLDR
- Google says breaking Bitcoin’s encryption may need fewer than 500,000 qubits, far less than previous estimates
- Researchers designed attack methods needing only 1,200–1,450 high-quality qubits
- A quantum attacker could potentially hijack a Bitcoin transaction in about 9 minutes
- Bitcoin’s Taproot upgrade makes public keys visible by default, widening the risk pool
- About 6.9 million Bitcoin already sit in wallets with exposed public keys
Google’s Quantum AI team published a whitepaper this week saying that breaking Bitcoin’s encryption may be easier than most experts thought. The computing power required could be far lower than estimates from recent years.
Google Quantum AI released a whitepaper warning that cracking 256-bit ECC, widely used in crypto wallets, requires fewer resources than expected. With under 500k physical qubits, it could be cracked in minutes. Google urged the industry to accelerate its migration to Post-Quantum… pic.twitter.com/DpdSPmYhYc
— Wu Blockchain (@WuBlockchain) March 31, 2026
Researchers found that cracking the cryptography protecting Bitcoin and Ethereum wallets might take fewer than 500,000 physical qubits. Previous estimates put that number in the millions.
The team designed two possible attack methods. Each one requires roughly 1,200 to 1,450 high-quality qubits. That is a fraction of what scientists previously believed was needed.
Qubits are the building blocks of quantum computers. These machines can solve certain problems much faster than regular computers, including breaking the encryption that protects crypto wallets.
Google has previously flagged 2029 as a potential milestone for useful quantum systems. The new research suggests the gap between today’s technology and a working attack may be smaller than many assume.
The paper describes how an attack could work in real time. When someone sends Bitcoin, a piece of data called a public key is briefly visible on the network.
A quantum computer could use that exposed public key to calculate the private key and redirect the funds. Under Google’s model, part of the calculation can be prepared in advance.
The final step could be completed in about nine minutes once a transaction is broadcast. Bitcoin transactions typically confirm in around 10 minutes.
The Race Against Confirmation Time
That narrow window gives a quantum attacker roughly a 41% chance of beating the original transaction. Other cryptocurrencies like Ethereum may face less risk here because they confirm transactions faster.
Google’s team also pointed to Bitcoin’s Taproot upgrade, introduced in 2021, as a factor that could increase exposure. Taproot improved privacy and efficiency but made public keys visible by default.
Older Bitcoin address formats included an extra layer that kept public keys hidden until a transaction was made. Taproot removed that protection for wallets using the new format.
Bitcoin Already Exposed
The paper estimates about 6.9 million Bitcoin already sit in wallets with exposed public keys. That is roughly one-third of the total supply.
Around 1.7 million of those Bitcoin come from the network’s early years. The rest come from address reuse and Taproot wallets.
That figure is much higher than a recent CoinShares estimate, which suggested only around 10,200 Bitcoin were concentrated enough to move markets if stolen.
Google changed how it published its findings. Instead of releasing a step-by-step method, the team used a zero-knowledge proof to confirm the results without exposing the full technique.
Google says quantum attacks on crypto are not yet possible today, but is urging earlier migration to post-quantum security standards.
