This essay is part 2 in my Quantum Series.
Part I: Against Allowing Quantum Recovery of Bitcoin
Part II: Quantum Attack Game Theory
Part III: Bitcoin Governance & Security Precedents (future post)
Part IV: Quantum Resistant Rescue Research (future post)
The response to publication of BIP-361 has shown me that most people seem to be under the assumption that if a quantum attacker came along, they will just scoop up all of the vulnerable bitcoin, sell them, and move on. Thus the market would be volatile for a short time, we’d quickly recover as coins were redistributed during this one-time event, and therefore no action is necessary to avoid pain that would be fleeting.
Unfortunately, it’s not quite that simple. In the text of the BIP we were intentionally vague with regard to post-Q-Day attacks and undesirable outcomes because going into detail would have made the BIP unwieldy to digest out of sheer length.
Some will surely characterize the following as a FUD post. Quantum attacks sound scary and can cause fear – and there’s no shortage of uncertainty and doubt when it comes to the quantum computing industry! But this essay is not full of misinformation claiming to predict the future. To be clear, my goal is to comprehensively catalog every possible harmful scenario that could result from a quantum attacker who scoops up all of the quantum vulnerable UTXOs. I think that in order to properly discuss solutions to quantum threats, we must first map out the problem space.
I have no idea how LIKELY or on what TIME FRAME such an attacker may appear. I’m making absolutely zero claims about the imminence of said threat; that continues to be a “wait and see” issue. It’s still prudent to scope out worst case scenarios as a part of contingency planning.
Any organization of non-trivial size should engage in contingency planning. Bitcoin is a massively distributed organization responsible for securing trillions of dollars in value. It’s irresponsible to fail to plan for even the least likely of edge cases.
As a security engineer, it is quite literally my job to think about everything that could possibly go wrong with systems for which I am responsible, in order to plan mitigation strategies to reduce the severity of failure scenarios. I will not be shamed or make any apologies for applying my expertise in pursuit of protecting my investment.
I’m not spending a lot of my time thinking deeply about how quantum computers could threaten Bitcoin because I think we’re doomed.
I think we’re doomed if NOBODY spends time thinking about edge cases and coming up with contingency plans.
— Jameson Lopp (@lopp) May 20, 2026
The following essay has been peer reviewed by multiple technical Bitcoin experts, thus errors should be minimal. But, as always, feel free to use my contact form to suggest corrections.
How Much BTC ($77,229.00 · Live) Could Be Stolen?
First off, we need to scope out the size of the potential threat.
There’s a great dashboard of quantum vulnerable coins (UTXOs with exposed public keys) available at Wicked’s web site.
https://wickedsmartbitcoin.com/quantum_exposureAt time of writing 6,927,060 BTC, AKA 34.6% of the total existing supply has exposed public keys and is thus theoretically vulnerable to a cryptographically relevant quantum computer (CRQC) that may some day be built. But of course, this figure will likely change over time, especially if Bitcoin implements some sort of post quantum signature scheme and if people start to become more worried about potential quantum threats.
Let’s optimistically assume that ALL of the actively managed bitcoin migrates before Q-Day. If you sum up ONLY the inactive bitcoin from the above chart, that’s 3,413,595 BTC.
Furthermore, if you drill down into how many of the inactive (for the past year) coins belong to still-operational known entities, you find that around 750,000 BTC can be accounted for and thus would likely migrate since they’re probably not lost.
Another way to look at the risk is from lost / inactive coins. We can see from this chart that over 17% of BTC have not been spent in over a decade. That’s 3,400,000 BTC. Note that this figure also includes funds that DON’T have exposed public keys.
https://charts.bitbo.io/hodl-waves/As such, I think a reasonable estimate for the number of lost coins with exposed public keys is roughly 2,600,000 BTC, or 13% of the current total supply. In other words, this is about how much BTC I expect would be unable to migrate to a quantum safe locking script if we come to consensus on implementing a post quantum signature scheme.
How Quickly Could the BTC be Stolen?
Now we have a rough idea for the floor of how much a quantum attacker could enrich themselves: about $200B at current exchange rates. But how quickly could they do so? This is a much trickier question to scope.
A quantum attacker would have to crack over 16,000,000 public keys in order to raid every exposed address at time of writing. Of course, the value of funds is nowhere near evenly distributed across public keys…
Over 1,715,000 BTC are stored in a mere 34,000 public keys in P2PK outputs. These have been inactive for ~15 years and are highly unlikely to migrate.
Beyond that, there are 540,466 BTC in another 1,156 public keys in non-P2PK output types that belong to inactive addresses and don’t belong to any known entities.
Thus, cracking around 35,000 public keys would net an attacker a cool 2,255,466 BTC. Cracking the remaining 10% of exposed funds that are unlikely to migrate would take a lot longer… about 500 times longer, in fact.
How long might it take to crack a single key? That’s the trillion dollar question – right now it takes longer than the universe as we know it will continue to exist.
A worst case scenario for quantum attack is if there are enough breakthroughs that the time to break an elliptic curve key drops below 10 minutes, because that opens up the vulnerability from long-range attacks to also short-range attacks on in-flight transactions.
To put it in perspective, if said CRQC’s speed is:
| 1 day | 96 years |
| 1 hour | 4 years |
| 10 minutes | 243 days |
| 1 minute | 24 days |
An important aspect of cracking keys is it can be done in private; there’s no need to use those keys to sign a transaction, broadcast it, and move the funds until you’re ready to reveal yourself to the world. It would be sensible for an entity that makes enough breakthroughs to be able to crack keys in a short timeframe to crack as many as possible before revealing their advantage.
As such, if an entity advanced to the point that they could crack a key in a few days or weeks, I’d expect they would prioritize cracking the highest value keys that also have been inactive the longest, in order to minimize the chance of funds moving before the “big reveal.” Simultaneously, they’d continue searching for other breakthroughs to bring down the time required to crack each key.
Another factor that is unknown is how expensive it will be for an entity that achieves a CRQC to scale up. If, for example, someone manages to achieve the ability to crack a key in less than a day while also being able to build new quantum computers with that capability for $100K or $1M each, perhaps they will be able to deploy tens or hundreds of machines to crack many keys in parallel.
The Stage is Set
To recap the specific scenario: we are envisioning a potential future in which Bitcoin HAS IMPLEMENTED some sort of post quantum cryptographic scheme AND everyone who is capable of accessing their keys HAS migrated their funds. If either of the prior two conditions are NOT met and a quantum capable entity appears, the potential negative outcomes are far broader and worse in severity. You should expect that, in those scenarios, the rational decision for bitcoin holders will be to seek safety by selling and exiting the system.
By now you should have a decent picture of the potential problem: in an asymmetric scenario, one entity manages to pull ahead in the race to a CRQC and is able to covertly crack the keys to over 2M BTC before anyone else. Perhaps some other entities have managed to crack a handful of keys, but they are still doing so privately and trying to speed up their rate of cracking, thus none are aware of anyone else’s progress.
Then, in one fell swoop, the winner of the quantum race publishes ~10 blocks worth of transactions, sweeping the 2M+ BTC to addresses they control over the period of just a couple of hours. For maximum stealth, they’d do so around 05:00 UTC on a weekend when most of the Americas and Europe are asleep or otherwise unlikely to be paying attention.
The initial funds sweep is only the beginning. What comes next?
It really depends on who wins the quantum race and their motivations.
Rational Self-Interested Attacks
Based upon common community reactions to BIP-361, it seems that the overwhelming assumption is that an attacker would be motivated to quickly enrich themselves as a result of acquiring tons of bitcoin. This is a reasonable assumption, though I’ll explain later why it’s by no means a guarantee. Nonetheless, let’s start off by thinking through how one might enrich themselves if they’re in a position of quantum supremacy.
What does the incentive look like? While there are tech giants working on innovating quantum computing, there are also plenty of (relatively smaller) startups.
| IonQ | ~$3.1B |
| PsiQuantum | ~$2.3B |
| Quantum Computing Inc. | ~$1.6B |
| Infleqtion | ~$1.4B |
| Quantinuum | ~$1.2B |
| SandboxAQ | ~$950M |
| D-Wave Quantum | ~$789M |
| IQM Quantum Computers | ~$600M |
| Xanadu | ~$547M |
| Pasqal | ~$300M |
Imagine being able to deliver a 100X or more return to your investors – it’s quite clear that investors would love that!
The Market Dump
This seems to be the scenario that most people in conversations I’ve seen are assuming will happen. Basically, an attacker gets a ton of bitcoin and tries to offload it as quickly as possible.
I dare say this would be one of the better scenarios because the ecosystem-wide pain would be temporary and the markets would recover reasonably quickly. However, I also find it to be the least likely because it would result in the smallest gain for a quantum attacker.
The fastest that I expect such a dump could occur would be in just a few hours. Recall it would take about 2 hours to get all of the funds sweeping transactions confirmed. Assuming that the attacker swept funds directly into centralized exchanges / OTC desks, they generally require just a few confirmations before the funds are released for trading, so the dumping could commence before the last of the transactions have confirmed. Thus the entire thing could feasibly be finished from start to finish in 4 hours.
How low could the price go? Effectively to zero, probably into the single or double digits of dollars. Cumulative order book depth across exchanges is nowhere near $200B.
According to this aggregated order book for 5 major exchanges, at time of writing, dumping 20,000 BTC ($1.6B) could easily tank the exchange rate by 50%, below $40,000. I think it’s pretty safe to say that an entity that could cause that much volatility with only 1% of their holdings has the power to do much worse.
But wait, you might say, couldn’t they just sell OTC without major slippage? That only works up to a certain point. We can’t know the exact volume metrics for OTC exchanges, though the largest OTC trade ever executed that we know of was in 2025 for 80,000 BTC / $9B and my understanding is that it took several days and multiple liquidity sources to facilitate. The daily OTC volume estimates I’ve been able to find place average BTC volume at $10B to $20B per day. Point being, if you want to sell tens of billions of dollars worth of bitcoin very quickly, you’ll have a hard time finding enough liquidity and if you’re in a rush, it will certainly impact spot market prices as all the liquidity gets sucked up.
The OTC path also optimistically assumes that the counterparties won’t notice massive on-chain movements happening and pull their bids out of fear. You should expect a ton of on-chain flow analysis bots to start alerting like crazy as soon as the funds start moving, and OTC traders tend to be more sophisticated and clued in to signals like that.
How quickly the market would rebound after such an event is anyone’s guess. If we could see that the total number of long-range quantum vulnerable coins had significantly decreased, that would be a positive because the “overhang” risk of quantum attackers was significantly diminished. The next question would become how many coins are still exposed to short range attacks.
The Slow Bleed
Clearly, it would be highly irrational to dump so quickly, as you’d end up losing the overwhelming majority of the value due to the market moving. It would probably be quite difficult to extract more than $10B from the market in such a short time period, which would be a 95% failure to realize the value acquired. Instead of market dumping millions of BTC and taking a massive hit due to slippage, it would behoove a quantum capable entity to spread out their sales and essentially dollar value average out of their position.
Think of it like an inverse Strategy, which acquired nearly 2,000 BTC per week in 2025 and YTD in 2026 has acquired 4,000 BTC per week. An entity that has swept over 2,000,000 BTC could sustain a DECADE of overhanging sell pressure at 4,000 BTC per week. Would this harm Bitcoin? Not at a technical level, it would just be annoying and depressing if everyone could see that a single entity was intentionally suppressing the exchange rate for many years and there was nothing we could do about it.
The Big Short
Now we should consider more sophisticated financial strategies. Since this is outside of my wheelhouse, I expect there are many strategies available that I haven’t even considered.
By selling off large tranches of BTC on spot exchanges, an entity with this much economic weight can crash the price, triggering liquidations that can exacerbate the price crash even further. A savvy quantum capable trader could take out a huge short, move enough coins that the market starts to panic, potentially even leverage the coins they’ve swept to short even harder, and then start buying the dip to end up with even far more bitcoin.
Once the market recovers from such an event, they’d just wait for leveraged positions to build back up before rinsing and repeating the strategy.
A key point I want readers to digest: it’s naive to assume that the economic power of a quantum attacker will peak right after their attack is completed. When you own over 10% of a market, you have sufficient size to move the market on a whim. With this power comes the ability to further accumulate assets by “hunting” for traders with exposed positions and by placing BTC-denominated bets on fiat-settled markets.
Short Range Attacks
Depending upon how quickly a quantum adversary can crack a public key, it may make financial sense for them to delay an in-flight transaction from confirming by flooding the mempool with higher paying transactions while the attacker simultaneously tries to crack the key. This could make sense if someone is trying to migrate a cold storage wallet with thousands of BTC. I’ll discuss confirmation delay strategies a bit later.
Appeal to Legal Authorities
A more law-abiding attacker could try to claim “salvage rights” which could put much of the coins in the hands of a government. Nic Carter wrote about this concept here and also penned an entertaining plausible scenario here.
This is also a gnarly scenario that’s outside of my wheelhouse and there are many variables at play.
- What jurisdiction is said quantum company operating out of?
- What are the lost property / salvage laws, if any?
- What do lawyers / judges / courts have to say regarding novel interpretations of said laws?
- Is all of the above moot if the company could effectively be nationalized by its government?
Some may claim that no corporate entity would dare go down the path of absconding with quantum vulnerable bitcoin, but there are a few counterpoints worth noting:
- The incentives are massive enough to justify spending a great deal of resources on legal counsel to try to navigate the justice system.
- If a corporate entity achieve a CRQC, it’s always possible that either a rogue employee or a third party attacker makes unauthorized use of their capability to crack bitcoin keys.
Irrational Malicious Attacks
A quantum attacker might not care about profit. This would more likely be the case if it’s a government that prints its own money and BTC is trivially tiny relative to their GDP. We know, for example, that the Chinese Communist Party is no fan of Bitcoin and they also have a variety of quantum computing companies under their boot. Add in the fact that the US Government has made a big deal about their “Strategic Bitcoin Reserve” and it could make sense for China to try to harm the ecosystem as a roundabout way of harming the US.
Confirmation Delay Griefing
An attacker could just decide to grief the network for an extended period of time by sending the coins back to themselves and thus spiking the market for block space. According to my calculations, with 2,000,000 BTC you could buy this much block space at these fee rates:
10 sat/vB: 20,000,000 blocks (400 years)
100 sat/vB: 2,000,000 blocks (40 years)
1,000 sat/vB: 200,000 blocks (4 years)
Of course, to maximize griefing one would not simply publish a perpetual stream of transactions at a given rate in order to set a floor – that would just push the market upward and fee rate estimates would adjust reasonably quickly. Rather, you’d want to inject as much volatility and unpredictability into the market for block space as possible. An attacker would probably want to change the “floor” for getting transactions confirmed on a block-by-block basis so that as many people as possible, who publish a transaction with what seems to be a reasonable fee estimate at the time, find their transaction stuck because the floor has risen above it.
By bumping up the floor after each block is confirmed, you’d also likely trigger a feedback loop in which real users start overpaying significantly on purpose in order to try to beat the inevitably rising floor. Suffice to say that a savvy attacker could sustain this strategy for over a decade.
The nice thing about this griefing attack is that it wouldn’t harm the system much other than degrading the user experience of timely confirmations; it would nicely redistribute the coins to miners via transaction fees. Though, as mentioned earlier, it could also be used in conjunction with other attack strategies.
“Anyone Can Spend” / High Fee Reorganization Chaos
An attacker could, on a regular basis, construct a transaction that anyone can spend and is worth a significant amount of money, far more than a full day’s worth of mining rewards. This is incredibly simple to construct; you just generate your deposit address with a redeem script of nothing more than OP_TRUE which means it will immediately evaluate to true and requires no other proof such as a cryptographic signature. The attacker would just have to spend those funds in order to reveal the script to the entire network, then anyone could try to claim it.
Alternatively, they could just broadcast a self-send transaction with an incredibly high fee. The OP_TRUE method would cause a bit more chaos than the latter because we’d see a flood of re-spent RBF transactions as every savvy actor sets up automated daemons to try to claim the funds for themselves.
From a rational miner’s perspective, it starts making sense to try to reorganize the last N blocks in the chain if the expected value of doing so is greater than continuing to extend the chain with new blocks. How would a miner calculate the expected value of an intentional “fee sniping” reorganization?
In Bitcoin, a transaction fee is claimable by the miner whose block includes the transaction, via the block’s coinbase; if that block later becomes stale, its coinbase reward disappears. Competing blocks at the same height do not automatically replace each other; nodes usually mine on the first valid block they saw until one branch becomes the most-work chain. The attack race is well modeled as the same binomial random walk used in the Bitcoin whitepaper’s attacker catch-up analysis (section 11.)
For a miner with 10% of the network hashrate, each extra block they need to reorganize makes the effort about 9 times harder to justify. For a miner with 30%, each extra block makes it about 2.33 times harder. Thus, larger miners need LESS of a reward to incentivize them to try this strategy. If you wish to dig into the math that a miner would use to calculate the expected value of doing so, check out the documentation I’ve published here.
Rational economic miners would then have to determine if it’s worth the risk for them to try to reorganize the chain in order to confirm their own version of the transaction for which they can claim the value. Let’s come up with a concrete example. Foundry tends to be the dominant pool; over the past 3 years they have fluctuated around 30% global hashrate.
https://mempool.space/mining/pool/foundryusaLet’s say Foundry decided to employ a strategy whereby, if they see a high value transaction they could reorganize to take possession of the funds, they’re willing to mine on a private chain fork until the expected value turns negative.
The math gets pretty gnarly, so instead of laying out the full explanation here I wrote a chart generator that makes it easy to plug in different variables to visualize the outcome. In case you’re wondering why the chart gets weird after 50% it’s because a miner with 51%+ of the network hashrate doesn’t need much of an incentive to reorganize the chain because they are guaranteed to succeed at their reorganization attempt if they keep going long enough.
To be clear, the Y axis on these charts shows how many blocks a miner with given hashrate % (q) would be willing to attempt reorganizing in order to claim a given fee / reward of BTC. If the fee is low or the miner’s hashrate is low, the answer is 0: they are incentivized to continue honestly extending the blockchain.
Fee snipe dynamics for a 10 BTC bountyBut we can see here, if a malicious entity wanted to start incentivizing a 30% hashrate miner into reorganizing blocks, it would start to make sense if they put a 10 BTC reward on the table. Of course, my profitability formula is overly simplistic and there are other risks a miner would need to take into account that are harder to quantify, like reputational risks. But I think those risks start to fade if the profit becomes large enough.
I’d say 100 BTC bounties start to look pretty appetizing in the scenario. We can see that at this level even miners with 10% and higher hashrate start being incentivized to attempt reorganizing the chain.
Fee snipe dynamics for a 100 BTC bountyAs you add more to the “bounty” past that, you’re basically increasing how many blocks a given miner would be willing to continue attempting mining a reorg chain privately before giving up.
Fee snipe dynamics for a 1,000 BTC bountyThe Feasibility of Fee Sniping
Well that’s not so bad because nobody else has as much hashrate as Foundry, right? Or, you might say, Foundry doesn’t actually own all their hashrate and hashers might leave Foundry if they disagree with the above strategy. A potential adversarial situation could be even worse though, because we have reason to believe that over 30% of global hashrate is all getting their block templates from Antpool. Savvy observers have noticed overlapping patterns between both block templates and coinbase outputs that AntPool, Poolin, CloverPool (BTC.com), Braiins, Ultimus Pool, Binance Pool, SecPool, SigmaPool, Rawpool, Luxor, Mining Squared appear to be acting as the same pool.
Bitcoin Mining Centralization in 2025
This post explores Bitcoin Mining Centralization in 2025 by looking at the hashrate share of the current five biggest mining pools. It presents a Mining Centralization Index and updates it with the assumed proxy pooling by AntPool & friends. It shows that Bitcoin mining is highly centralized today, with only six pools mining more than 95% of the blocks.
The resulting chaos from this incentive becomes particularly problematic when larger pools cross the threshold at which it becomes rational for them to try to reorganize more than a few blocks. From what I can tell, most major exchanges require 2 or 3 confirmations before you can trade, they would have to jack up the required confirmations in order to reduce their own risk of having to absorb double spend losses.
Let’s say such an attacker decides to grief the network with 1 transaction every 4 hours that’s worth 100 BTC. This would incentivize two different entities to attempt up to 3 block reorganizations in order to claim the funds. This griefing strategy could be sustained for 9 years with 2.5M BTC.
It turns out my theorized attack scenario is backed up by a lengthy Computer Science Master’s thesis by Claire Bao at MIT. This chart shows that it becomes more profitable for miners to reorganize the chain rather than extend it honestly when abnormally high fee transactions are up for grabs.
Source: https://www.media.mit.edu/publications/mitigating-undercutting-attacks-a-study-on-mining-and-transaction-fee-behavior/In particular, this Master’s thesis shows that an environment with low fee frequency but high fee difference, which is the scenario I’m outlining, is NOT safe from “undercutting attacks” to reorganize the chain.
Source: https://www.media.mit.edu/publications/mitigating-undercutting-attacks-a-study-on-mining-and-transaction-fee-behavior/One final word regarding this particular attack is that (assuming transaction fees don’t eclipse block subsidies) it gets cheaper and cheaper in terms of BTC with each halving cycle, thus this class of attacks could easily be maintained for even longer than 9 years if they occur in a future mining epoch.
“Anyone Can Spend” Mempool & Block Space Chaos
A variation of the prior strategy.
An attacker could decide to cause maximum chaos and release the keys to coins after performing massive fan-out operations, thus eating up all available block space. Think this is ridiculous? It has happened before! I actually covered such an attack in this prior post:
A History of Bitcoin Transaction Dust & Spam Storms
A historical analysis of spam attacks conducted on the Bitcoin network.
“The Giv3r” and “CoinWallet Giveaway” events in 2015 released private keys to a little over 200 BTC, which was about $50,000 USD at the time.
In this scenario, rather than precisely calculating what value would be needed to incentivize miners to reorganize the chain, the attacker simply lets the market take over and incentivizes everyone who is listening to the network to compete with each other in replace-by-fee races to try to claim the value for themselves.
Depending upon the values of the UTXOs for which keys are released, at low values it would mostly cause mempool congestion and lots of mempool churn as transactions are replaced at higher rates than usual. At sufficiently high values it could also result in miners being incentivized to undercut each other as outlined in the prior section.
Screwing with Second Layers
Any of / a combination of the block space griefing attacks above can be used in conjunction with fraud attacks on peers using layer 2 protocols. Essentially: any layer 2 protocol that relies upon being able to settle a “justice / fraud dispute” transaction in a timely manner can be broken if you have the ability to deny your counterparties on the second layer the ability to do so.
Also, public Lightning channels expose their funding public keys through gossip. BOLT 7’s channel_announcement includes bitcoin_key_1 and bitcoin_key_2, and the announcement ties those keys to the channel funding output.
That means a CRQC attacker may not need to wait for channel closes or jamming of justice transactions. For public channels, the attacker can derive both funding private keys from the announced public keys and spend the 2-of-2 P2WSH funding output directly. Private channels are less globally exposed, but each counterparty still knows relevant funding keys, so a quantum-capable counterparty could attack its peer.
The main reason why this is less likely is that second layers simply don’t have enough value locked in them to be of particular interest to an entity controlling millions of BTC. They’d really have to be stretching for maximum maliciousness to undertake this effort. And presumably, in the scenario where Bitcoin has implemented post-quantum cryptographic, the Lightning Network protocol will also have upgraded to make use of it… though perhaps there will still be legacy channels that are vulnerable.
51% Attacks
Throughout the quantum threat debate, some people have claimed that we should worry about quantum enabled mining giving an asymmetric advantage to those with quantum computers, who could then potentially 51% attack the network. This has generally been discounted because a quantum computer can’t use Shor’s algorithm to achieve a superpolynomial speedup of SHA-256 hashing. Instead, it would have to use Grover’s algorithm, which only provides a quadratic speedup and thus would be impractical to use an extremely expensive quantum computer to run in comparison to relatively cheap ASICs.
It turns out that the folks worried about 51% attacks from quantum computing were right, but for the wrong reasons.
At time of writing the global network hashrate is a bit above 1,000 EH/S. Point being, it’s well within the realm of reason that an entity with a couple hundred billion dollars to burn could feasibly acquire over 50% of the network hashrate, either via outright buying existing hardware, or by taking near monopoly control of the means of producing new hardware, or some combination of the two. That would be an end game scenario if they are not a rational miner but only want to harm the network. How so?
A 51% attacker can’t change the rules of bitcoin, but they can change historical blocks and dictate which blocks and transactions ultimately become part of the “finalized” blockchain. To be more precise, some of the actions you can take if you control the majority of Bitcoin’s hashrate:
Double spending: deposit BTC on exchanges, withdraw fiat/stablecoins/other cryptocurrency, then reorganize the chain to reverse the deposit, thus gaining the fiat while keeping the BTC. This has been done before many times over the years against weaker proof of work chains:
| Feathercoin (FTC) | 2013 | A 51% attack reportedly reversed transactions and double-spent FTC. The exact loss figure is not consistently documented. (Distributed Networks Institute) |
| Krypton (KR) | August 2016 | Attackers used majority hashpower, reorganized the chain, and double-spent KR after moving coins through Bittrex; reported loss was about 21,465 KR. (Distributed Networks Institute) |
| Shift (SHIFT) | August 2016 | A similar attack to Krypton: majority mining control, chain reorganization, and double-spend attempts; public loss details are unclear. (Distributed Networks Institute) |
| Verge (XVG) | April–May 2018 | A hybrid mining-algorithm exploit plus majority-control attack enabled exchange-targeted double-spending/theft, widely reported around $1.7 million. This is not a “plain vanilla” hashrate-rental attack, but it is commonly counted as a successful 51%/majority attack. (Distributed Networks Institute) |
| MonaCoin (MONA) | May 2018 | A 51%-style/selfish-mining attack caused double-spends against exchanges; reported losses were at least $90,000. (Quadriga Initiative) |
| Bitcoin Gold (BTG) | May 2018; January 2020 | In 2018, attackers double-spent about 388,000 BTG, then worth about $18 million. In January 2020, BTG suffered additional double-spend reorgs totaling roughly $70,000–$72,000. (Distributed Networks Institute) |
| ZenCash / Horizen (ZEN) | June 2018 | Attackers controlled enough hashpower to double-spend ZEN; reported loss was about 23,000 ZEN, then roughly $550,000. (Distributed Networks Institute) |
| Vertcoin (VTC) | 2018; December 2019 | Vertcoin suffered multiple 51% attacks. The 2018 attacks reportedly caused around $100,000 in double-spends; a later 2019 reorg double-spent about 125 VTC. (Distributed Networks Institute) |
| AurumCoin (AU) | November 2018 | A 51% attack reportedly double-spent 15,752.26 AU through Cryptopia, then valued around $500,000. (Distributed Networks Institute) |
| Ethereum Classic (ETC ($8.90 · Live)) | January 2019; August 2020 | In January 2019, Coinbase identified multiple ETC double-spends totaling about 219,500 ETC, then about $1.1 million. In 2020, ETC was hit again, with Coinbase reporting about 800,000 ETC and 460,000 ETC double-spent in separate attacks. (Distributed Networks Institute) |
| Expanse (EXP) | July 2019 | MIT DCI’s reorg tracker documented a 64-block attacker chain replacing 63 blocks, with one double-spent account/nonce totaling 200 EXP. (Gist) |
| Litecoin Cash (LCC) | July 2019 | MIT DCI documented multiple deep reorgs and double-spends, including double-spends of tens of thousands to hundreds of thousands of LCC. (Gist) |
| Aeternity (AE) | December 2020 | Aeternity disclosed 51% double-spend attacks affecting exchanges; official posts describe stolen AE from the December attack later being used in another attempted double-spend. Public reports vary on the exact total, commonly in the tens of millions of AE. (æforum) |
| Firo / Zcoin (FIRO/XZC) | January 2021 | Firo disclosed a 51% attack that replaced about a day of blocks and was aimed at defrauding exchanges; Binance and Indodax were publicly identified as affected. (The Firo Forum) |
| Bitcoin SV (BSV ($14.90 · Live)) | August 2021 | BSV suffered deep reorg attacks, and Coin Metrics’ Lucas Nuzzi reported that millions of dollars were double-spent, but exchanges did not clearly disclose victim losses publicly. (Lucas Nuzzi) |
Transaction censorship: selectively prevent confirmations for targeted addresses by not adding them to your block template while hashing. If another miner finds a block with a transaction you disapprove of, you simply reorganize the block and make it so that it never existed in the blockchain’s history.
Short range attacks: if chain reorganizations are used in conjunction with short range attacks, a quantum adversary with majority hashrate could potentially steal from any wallet that isn’t quantum resistant and transacts. Basically: once a high value quantum vulnerable transaction is broadcast, the adversary can start trying to reverse the private key from the exposed public key while simultaneously using their hashrate to start privately mining a new blockchain branch that doesn’t contain that transaction. Then, upon cracking the private key, they craft a transaction that redirects the funds to an address they control and confirm it in a block. This is a variation of the earlier “confirmation delay” short range attack strategy.
Empty block attacks: this would be the most effective way to quickly kill Bitcoin, in my opinion. Basically, you only mine empty blocks. If any other miner publishes a block containing transactions other than the coinbase transaction, reorganize it out of existence. This also kills every other mining operation by depriving them of revenue (they can’t spend their coins / send them to exchanges / etc) and takes the value of Bitcoin as a settlement network to zero. If such an attack were to occur, Bitcoin would only have two options: wait it out and hope the attacker gives up or hard fork to change the mining algorithm and effectively “brick” every SHA256 ASIC in existence.
Buying Hashrate
You may have scoffed at the idea that large miners or pools would start reorganizing the chain to enrich themselves. Perhaps they would consider the loss of confidence in the network to be too high of a risk to require users to wait for more confirmations before considering a payment settled.
If the existing set of rational miners failed to take the bait, an extremely patient long term attacker could acquire significant hashrate they controlled themselves in a variety of ways. Let’s take a look at the biggest mining companies and their values.
| Bitdeer Technologies Group | Public | 70 | $3B |
| MARA Holdings | Public | 62 | $5B |
| CleanSpark | Public | 50 | $3B |
| Iris Energy | Public | 50 | $13B |
| Core Scientific | Public | 40 | $6B |
| Riot Platforms | Public | 30 | $6B |
| Bitmain | Private | 30 | $30B |
| Genesis Digital Assets | Private | 20 | $2B |
| Cipher Mining | Public | 15 | $7B |
| TeraWulf | Public | 12 | $8B |
| Northern Data | Public | 10 | $3B |
| Hut 8 | Public | 10 | $8B |
| Bitfarms | Public | 10 | $2B |
| Gryphon Digital Mining | Public | 10 | $1B |
| Phoenix Group | Public | 4 | $2B |
If you exclude Bitmain because it’s highly valued due to ASIC production, that’s 393 EH/s for around $70B. Extrapolate that and perhaps one could acquire 600 – 700 EH/s for $150B if you made a concerted effort to scoop up every medium and large sized mining operation. That’s well over the 50% required to control the network. Though it would of course require a decent amount of work to acquire that many companies.
It’s also worth noting that this strategy could be combined with aforementioned market manipulation strategies. A savvy attacker could, for example, make a ton of money by shorting the market while causing the exchange rate to plunge due to fears of quantum dumping overhang, which if maintained over a longer period of time would also greatly suppress the valuation of mining companies. Then they could scoop up the mining companies far more cheaply in order to carry out a 51% attack.
Producing ASICs
Last year Reuters reported that Bitmain, Canaan, and MicroBT together build over 90% of global mining rigs. What if, instead of buying a bunch of companies with deployed hashrate, you went straight to the source? How much would it cost to buy up all the production capacity?
| Bitmain | $30B |
| MicroBT | $2B |
| Canaan | $0.4B |
Over the past 2 years the total network hashrate has increased by 300 – 350 EH/s per year. What if you just bought these 3 companies, ramped up production, and kept it all for yourself? Bitmain also has a lot of deployed hashrate (30 EH/s) so they already have the expertise and infrastructure to deploy ASICs at scale.
Assuming these companies are already at 100% capacity and can’t ramp up further, and assuming you could produce 300 EH/s per year, it would take a little over 3 years to gain a majority hashrate share of the market if you managed to corner the production supply.
A 3 year strategy is certainly playing the long game, but we can see that it would cost only 20% of my estimate for outright buying as much hashrate as quickly as possible at current market rates.
Satoshi Psyop
A more devious plan that could be executed by a quantum attacker (if they kept their quantum computer a secret) would be to put forward a person claiming to be Satoshi after cracking keys to coins known to belong to Satoshi. Think of this scenario like Craig Wright on steroids: backed by even greater resources than Calvin Ayre had and actually possessing cryptographic proof of controlling Satoshi’s keys. Heck, they could even give a key or two to Craig to sow maximum confusion; I’m sure Craig would jump at the chance for “vindication,” claiming that the “bonded courier” finally arrived with his keys!
This scenario could get pretty nasty since it’s more of an attack at the social and human consensus level rather than the technical level. A Faketoshi with actual keys and a decent backstory could drive massive rifts in the ecosystem by taking a position of authority. Such a figure would have a far greater degree of success than Craig Wright at trying to do things such as:
- demanding protocol rule changes
- suggesting that his opinion should settle disputes
- pushing narratives that erode the ethos of individual sovereignty
- “blessing” one implementation as being true to Satoshi’s vision for Bitcoin
An Evenly Matched Quantum Race
One of the more chaotic scenarios would actually be if there is more than one entity that has been privately cracking keys for a while once the “winner” decides they have cracked enough to broadcast transactions and take control of the funds, thus revealing their advantage to the world.
In a situation such as this, it could get pretty rough regarding reorganization incentives. In a naive scenario, each quantum entity would enter into a “replace by fee” race if they noticed that their quantum competitor broadcast a transaction that spent funds for which both parties had cracked a key. But this would end poorly for both parties and they’d most likely end up burning nearly all of the value in fees, so the primary beneficiary would be miners.
More sophisticated and forward-thinking quantum entities might seek to form business relationships with major miners ahead of time to avoid burning funds on unpredictable fee bumping races. This could result in temporary chain splits as different pools try to reorganize blocks based upon their business relationships, in a variation of the aforementioned undercutting attacks.
Nor is it outside the realm of possibility that one quantum-enabled entity is in the United States and one is in China, and their respective nation states step in to facilitate the battle to finalize ownership of swept funds. Though fortunately for the US, China managed to shoot themselves in the foot several years ago and drive a ton of hashrate out of their country.
The Grab Bag
Of course, an attacker is not limited to choosing just one of the scenarios outlined in this essay. They could mix and match any number of them. And there are likely other strategies of which I haven’t even been able to conceive. Can you think of one that I missed? Feel free to contact me and let me know; I’m happy to update this essay to be more comprehensive.
Optimistic Scenarios
In the spirit of being comprehensive, we should recognize that not all quantum scenarios are necessarily catastrophic.
In the absolute best case scenario, a benevolent quantum capable entity could simply send all the coins to a burn address or OP_RETURN output. This seems rather unlikely.
Otherwise, a public long-term non-selling pledge, or a transparent multi-year release policy by transferring funds into verifiably timelocked tranches, would reduce the “quantum vulnerable coins overhang” fear.
A quantum capable entity could pledge to allocate much of the funds back to maintaining and improving the ecosystem. Funding security review, protocol research, developer education, and legal defense across multiple independent teams would help ensure the long-term maintenance of the ecosystem. Of course, care would need to be taken to ensure that this funding isn’t used to exert a form of soft power.
In Conclusion
In all cases, if an entity comes into the possession of millions of BTC at relatively little cost to their market value, these funds act as both ammunition and “skin in the game” that paradoxically enables self-destructive behavior if the attacker’s motivation is external to the system (e.g., geopolitical or derivatives profit.) Bitcoin’s security model assumes economically rational participants with limited resources, but a quantum-capable actor has the potential to break that assumption.
The network’s best defenses to this threat remain vigilant monitoring of the quantum computing industry, making efforts to reduce hashrate concentration, proactive migration to post-quantum cryptography if the risk of a cryptographically relevant computer looks realistic, and community coordination to mitigate undesirable scenarios.
Bitcoin is a voluntary open project. Many say that the proper solution to quantum recovery of coins is to do nothing. Those people are free to do nothing, but they should not delude themselves into thinking that they can stop others from trying to do something.
We can certainly hope that this threat will never emerge.
But hope is not a strategy.
Be the first to comment