Bitcoin security engineer and Casa co-founder Jameson Lopp has published a detailed threat-modeling essay examining how a cryptographically relevant quantum computer could be used against Bitcoin. The May 21 post, titled “Quantum Attack Game Theory,” is the second installment in his Quantum Series and follows debate around BIP-361, a proposal connected to how Bitcoin should handle quantum-vulnerable coins. Lopp’s central point is that the risk discussion should not be reduced to a single market-dump scenario.
Lopp Quantifies Bitcoin’s Quantum Exposure
Lopp begins by sizing the potential exposure. Using a dashboard of quantum-vulnerable UTXOs with exposed public keys, he wrote that 6,927,060 BTC, or 34.6% of the existing supply at the time of writing, is theoretically vulnerable to a future cryptographically relevant quantum computer. After assuming all actively managed coins migrate to a post-quantum locking scheme, he estimates roughly 2.6 million BTC, or 13% of current supply, could remain exposed because the coins are lost or inactive.
“The response to publication of BIP-361 has shown me that most people seem to be under the assumption that if a quantum attacker came along, they will just scoop up all of the vulnerable bitcoin, sell them, and move on. Thus the market would be volatile for a short time, we’d quickly recover as coins were redistributed during this one-time event, and therefore no action is necessary to avoid pain that would be fleeting.” Lopp argues that this framing misses a wider range of incentives and attack surfaces that could emerge after what he calls “Q-Day.”
The mechanics matter because the exposed funds are not evenly distributed. Lopp writes that an attacker would need to crack more than 16 million public keys to raid every exposed address, but that 1.715 million BTC sit in only about 34,000 P2PK public keys that have been inactive for roughly 15 years. Adding another 540,466 BTC in 1,156 inactive non-P2PK public keys, he estimates that cracking roughly 35,000 public keys could yield 2,255,466 BTC, with the remaining exposed funds requiring far more work.
Attack Scenarios Extend Beyond a Market Dump
Lopp describes a fast market dump as the scenario many observers appear to assume: an attacker sweeps millions of BTC and sells as quickly as possible. He considers it one of the less damaging outcomes over time but also one of the least economically attractive for an attacker. He estimates that a sweep into exchanges or OTC desks could theoretically unfold in several hours, while noting that selling even 20,000 BTC, about $1.6 billion at his cited market context, could cut the exchange rate by 50% on aggregated order-book depth across five major exchanges.
“I have no idea how LIKELY or on what TIME FRAME such an attacker may appear. I’m making absolutely zero claims about the imminence of said threat; that continues to be a ‘wait and see’ issue.” Lopp instead presents the essay as contingency planning, adding: “Any organization of non-trivial size should engage in contingency planning. Bitcoin is a massively distributed organization responsible for securing trillions of dollars in value.”
The more complex scenarios include a slow selloff lasting years, derivatives-driven short strategies, confirmation-delay attacks against in-flight transactions, and block-space griefing. Lopp calculates that an attacker controlling 2 million BTC could fund block-space disruption for 400 years at 10 sat/vB, 40 years at 100 sat/vB, or four years at 1,000 sat/vB. He also outlines “anyone can spend” and high-fee transaction strategies that could create incentives for miners to attempt reorganizations, especially where unusually large fees or bounties change the economics of extending the chain honestly.
Lopp also extends the analysis to second-layer systems and mining centralization. Public Lightning channels expose funding public keys through channel announcements, which he says could make them vulnerable if a quantum-capable adversary can derive the relevant private keys. He further argues that a quantum attacker with hundreds of billions of dollars in newly controlled BTC could, in theory, attempt to buy or influence enough hashrate to pursue 51% attacks, censorship, double-spending, or empty-block attacks.
“To be clear, my goal is to comprehensively catalog every possible harmful scenario that could result from a quantum attacker who scoops up all of the quantum vulnerable UTXOs. I think that in order to properly discuss solutions to quantum threats, we must first map out the problem space.” That framing is important: the essay does not forecast that such an attacker is imminent, but it does argue that Bitcoin’s planning assumptions should account for adversaries whose incentives may be financial, malicious, geopolitical, or strategic.
Lopp’s conclusion is that Bitcoin’s best defenses remain monitoring quantum-computing progress, reducing hashrate concentration, preparing for post-quantum cryptography if the risk becomes realistic, and coordinating around undesirable outcomes before they arrive. His closing line captures the essay’s risk-management posture: “We can certainly hope that this threat will never emerge. But hope is not a strategy.”
AI Transparency Note: This article was prepared with the assistance of an AI system based on the sources listed and was reviewed, edited, and approved by a human editor before publication. All quotes, data points, and factual claims are intended to be grounded in the cited source material; however, errors cannot be ruled out entirely.