Stop worrying about the Bitcoin quantum threat

The state of quantum computing and what it would take to threaten Bitcoin

Quantum computing has advanced materially over the past 18 months, but the field remains in the transition from noisy hardware to early fault tolerance.

The key shift is away from raw physical-qubit counts and toward logical qubits, gate fidelity, runtime, and error correction. That shift is important for Bitcoin because risk estimates are driven by logical qubits and fault-tolerant operations rather than headline hardware totals.

What is the actual state of quantum computing advancement?

Progress is visible across three fronts: below-threshold error correction, small logical-qubit demonstrations, and deeper circuits with lower noise.

In late 2024, Google’s Willow chip demonstrated below-threshold error correction, in which error rates fell as the encoded system scaled up. IBM says its current systems can run certain circuits with more than 5,000 two-qubit gates and has published a roadmap to a 200-logical-qubit fault-tolerant system by 2029.

Quantinuum has reported 48 error-corrected logical qubits and 64 error-detected logical qubits from 98 physical qubits, along with 50 error-detected logical qubits on Helios at better-than-break-even performance. Microsoft and Atom Computing reported 24 entangled logical qubits and computation with 28 logical qubits on neutral-atom hardware.

The sector remains short of a large-scale fault-tolerant machine. That is one reason DARPA’s Quantum Benchmarking Initiative exists.

Its target is a quantum computer whose computational value exceeds its cost by 2033, and the agency is still validating competing architectures rather than certifying that any team has already reached that point.

What can quantum computers do today?

Today’s systems can do four things with credibility. They can run benchmark problems beyond classical brute-force methods, including Google’s random circuit sampling and more recent work on Quantum Echoes.

They can perform limited, specialized simulations in physics and chemistry, often in hybrid workflows with classical high-performance computing. They can demonstrate logical qubits and fault-tolerant subroutines on small scales. They also function as testbeds for error correction, decoding, and control systems.

What they cannot do today is the part that matters for Bitcoin.

No public system has anywhere near the logical-qubit count, fault-tolerant gate budget, or sustained runtime needed for cryptographically relevant attacks on secp256k1. Google’s Willow contains 105 physical qubits.

The leading public demonstrations of logical qubits remain in the tens, not the thousands. A recent estimate from Google researchers and co-authors puts a Bitcoin-relevant attack in the range of 1,200 to 1,450 logical qubits and tens of millions of Toffoli gates, leaving a large gap between current machines and a cryptographically relevant system.

What is required from here to create quantum computers that can crack Bitcoin on some level?

The critical threshold is a cryptographically relevant quantum computer capable of running Shor’s algorithm against the elliptic-curve discrete logarithm problem on secp256k1.

According to the March 2026 Google paper, fewer than 1,200 logical qubits and 90 million Toffoli gates, or fewer than 1,450 logical qubits and 70 million Toffoli gates, could in principle solve ECDLP-256.

Under superconducting assumptions with 10^-3 physical error rates and planar connectivity, the authors estimate that such an attack could be executed in minutes with fewer than 500,000 physical qubits.

That sets the engineering problem. The path forward is not simply a linear climb from about 100 physical qubits to 500,000. The harder challenge is building large numbers of stable logical qubits, sustaining tens of millions of fault-tolerant operations, achieving fast cycle times, and integrating all of that with real-time decoding, cryogenics or photonic interconnects, classical control, and manufacturable modules.

The same paper argues that fast-clock systems, such as superconducting and photonic platforms, are more relevant to on-spend attacks than slower-clock systems, such as ion traps and neutral atoms, because runtime can be decisive within a mempool window.

For Bitcoin, “crack on some level” does not mean breaking the network in one step. The earlier risk is recovering private keys from exposed public keys or attacking spends while public keys are visible.

In its research disclosure on cryptocurrency vulnerabilities, Google says blockchains that rely on ECDLP-256 need a post-quantum migration path and notes near-term mitigation, such as avoiding exposed or reused vulnerable wallet addresses.

Is Google’s recent 2029 prediction genuinely realistic?

This question needs a distinction. In Google’s own language, 2029 is a post-quantum migration target, not a definitive date for a Bitcoin-cracking machine.

On March 25, 2026, Google said it was setting a timeline for the post-quantum cryptography migration to 2029, citing progress in hardware, error correction, and resource estimates.

In a March 31, 2026, research post, the company said that future quantum computers may break elliptic-curve cryptography used in cryptocurrencies with fewer qubits and gates than previously estimated. Those are related, but not identical, claims.

As a migration deadline, 2029 looks aggressive but defensible. As a hard forecast for Bitcoin-breaking capability, the public evidence remains thinner.

Google has meaningfully reduced the attack estimate, and IBM has a public 2029 roadmap to 200 logical qubits and 100 million gates. Even so, IBM’s 2029 target remains well below Google’s latest logical-qubit estimate for attacking secp256k1.

DARPA’s utility-scale benchmark horizon extends to 2033, which is the more conservative reference point. On current evidence, 2029 works better as a preparedness date than as a settled date for Q-Day.

How much could it cost to get to that point?

No one has published a definitive public budget for a Bitcoin-cracking quantum computer. The strongest public signals come from capital raises, government packages, and facility buildouts. PsiQuantum raised $1 billion in 2025 for utility-scale fault-tolerant systems and separately secured an A$940 million public package in Australia for its Brisbane build.

Quantinuum raised about $300 million in early 2024 and later announced a further financing round in 2025. Illinois also assembled a $500 million quantum park plan and a reported $200 million tax incentive package around the Chicago site tied to PsiQuantum.

The reasonable inference is that a first-generation cryptographically relevant system sits in the low single-digit billions of dollars, and potentially higher once the full campus, specialized fabrication, packaging, cryogenics, classical compute, networking, control electronics, and multi-year staffing costs are included.

Public and private capital are already converging at that scale. This is now an infrastructure-scale buildout.

What milestones should be watched from here?

The first milestone is the move from tens to hundreds of high-fidelity logical qubits that remain stable long enough to execute meaningful programs.

After that, the next threshold is whether those logical qubits can support millions to tens of millions of fault-tolerant gates with real-time decoding and manufacturable scaling. IBM’s public roadmap frames that progression directly with Starling at 200 logical qubits and 100 million gates in 2029, followed by Blue Jay at 2,000 logical qubits and 1 billion gates in 2033.

The second milestone is architectural validation. The Google attack-resource paper points toward fast-clock architectures as the systems most relevant to on-spend crypto attacks. That places more emphasis on progress in superconducting and photonic systems when assessing near-term Bitcoin risk.

The third milestone is independent verification. DARPA’s QBI and US2QC programs matter because they force companies to convert roadmaps into auditable engineering plans. Microsoft and PsiQuantum have already moved into the final validation and co-design phase of US2QC, while IBM, Quantinuum, Atom, IonQ, QuEra, Xanadu, and others remain in Stage B of QBI.

If one of those programs concludes that a design is constructible as intended, that will carry more weight than a standard corporate roadmap.

The fourth milestone is the cryptographic response. NIST finalized its first three post-quantum cryptography standards in August 2024 and says organizations should begin migrating now, with vulnerable algorithms on a path to deprecation and removal by 2035. For Bitcoin and the wider crypto stack, a credible migration path materially changes the risk profile.

Who is most likely to create a quantum computer first?

The answer depends on the definition of “first.” If the benchmark is the first public fault-tolerant system with meaningful logical-qubit scale, IBM and Quantinuum have the strongest public case today.

IBM has the clearest long-range public roadmap for hundreds, then thousands, of logical qubits. Quantinuum has some of the strongest public data on trapped-ion logical qubits and break-even.

If the benchmark is the first independently validated route to utility scale, Microsoft and PsiQuantum stand out because DARPA has already moved them into the final validation and co-design phase of US2QC. That does not settle the race, but it does indicate that a serious government review process sees those paths as mature enough for deeper system-level scrutiny.

If the benchmark is the first system plausibly relevant to Bitcoin, fast-clock platforms deserve the closest attention. On current public evidence, which points more toward superconducting or photonic stacks than trapped-ion or neutral-atom systems for the earliest on-spend attack capability.

That keeps Google, IBM, PsiQuantum, and potentially Microsoft’s topological path in the highest-attention group, while still leaving room for a surprise from another DARPA-backed architecture.

What would it take for a bad actor to use such a machine after a top lab proves the capability?

The barrier would remain extremely high. Any malicious actor would need access to a facility-scale system, specialized supply chains, advanced control electronics, packaging, cryogenics, or large photonic infrastructure, error-correction software, compilers, and a team that spans quantum hardware, error correction, systems engineering, and cryptography.

The likely cost profile remains in the billion-dollar range, and the engineering footprint would be difficult to conceal. That pushes the first credible threat toward a state, a state-backed program, or misuse of an existing top-tier lab capability rather than an independent criminal build.

There is also a second layer of difficulty. Even after a top lab demonstrates theoretical capability, turning that into reliable illicit use would require stable runtime, enough machine availability, targeting intelligence, and a way to operationalize results before defenders complete migration.

In its responsible disclosure, Google withheld attack details and used zero-knowledge methods to validate claims without publishing an operational playbook. That raises the barrier to reckless replication.

The clearest historical comparison for “computing breakthrough at research level to bad actor capability” is DES.

In 1977, Whitfield Diffie and Martin Hellman argued that a machine capable of brute-forcing DES in about a day would cost roughly $20 million, which placed that capability in state hands.

By 1998, the Electronic Frontier Foundation built Deep Crack for under $250,000 and cracked DES in 56 hours.

By 2006, the FPGA-based COPACOBANA machine pushed that cost below $10,000, showing that a capability once discussed at national-lab scale had moved into the range of commercially available specialist hardware.

The pattern matters more than the exact cipher. Cryptanalytic capability often appears first as an elite-budget possibility, then as a public proof, and only later as something that can be assembled at far lower cost from accessible components.

For Bitcoin, the relevant question is not only when a top lab can demonstrate a cryptographically relevant quantum attack, but also how long it takes for that capability to move down the cost curve into something smaller actors could realistically access and operate.

So even if Google were to create a quantum machine capable of cracking Bitcoin in 2029, following the DES timeline, bad actors may not have access for another 30+ years.

Bottom line

Bitcoin is not under quantum attack today. The threat has moved out of the science-fiction category and into the planning category.

Google’s new estimate reduces the required resources enough to sharpen the central question: whether Bitcoin and the broader cryptographic stack can migrate before fast-clock fault-tolerant systems cross the threshold for cryptographically relevant attacks.

Even if a top lab reaches that threshold sooner than expected, the limiting factor for bad actors is likely to be access, because the first cryptographically relevant systems would still be facility-scale machines with billion-dollar economics rather than tools that can be quietly bought, rented, or assembled at criminal scale.