Quantum Computers Could Crack Bitcoin by 2029, Google Now Says
A March research post from Google slashed the hardware requirements for breaking elliptic-curve cryptography, a $2 billion U.S. funding wave is accelerating the timeline, and the crypto ecosystem is sitting on $158 billion in annual illicit flows it can't afford to expose. The post-quantum migration window is open. It won't stay that way.
On March 31, 2026, Google Research published a disclosure that recalibrated how the crypto industry thinks about its own shelf life. The paper updated resource estimates for attacking ECDLP-256, the elliptic-curve math that protects the vast majority of blockchain wallets, and the numbers came in sharply lower than prior models suggested. Not in a decade. Not in some theoretical future. In a few minutes, on a machine with fewer than 500,000 physical qubits.
That number sounds large until you look at where the hardware race is heading. Two months later, the U.S. Commerce Department announced more than $2 billion in CHIPS Act letters of intent for nine quantum computing firms, including $1 billion earmarked for IBM alone. The federal government isn't funding quantum research as basic science anymore. It's funding a race.
Meanwhile, the crypto ecosystem that quantum hardware threatens is not a clean, tidy financial system waiting to be upgraded. According to TRM Labs' January 2026 report, illicit entities captured roughly $158 billion in incoming value last year. That's the environment in which a cryptographic migration has to happen: under institutional pressure, against a closing timeline, with criminals already probing every gap.
Google's March Warning, and Why This One Is Different
Google has talked about quantum risk before. This time is different because the company put specific, updated numbers into the public record and attached a migration deadline to them.
The whitepaper says a cryptographically relevant quantum computer (CRQC) could crack ECDLP-256 using fewer than 1,200 logical qubits and under 90 million Toffoli gates, or alternatively under 1,450 logical qubits and fewer than 70 million Toffoli gates. The circuits could execute in minutes on a superconducting machine with a sub-500,000 physical qubit count. Prior estimates put the physical qubit requirement in the millions. Google's revised figure moves the threat from theoretical to engineering-grade.
The disclosure was coordinated with the U.S. government and framed through responsible-disclosure protocols. Google also named its interlocutors: Coinbase, the Stanford Institute for Blockchain Research, and the Ethereum Foundation are cited as partners in the process. That's not a casual list. It signals that the largest exchange by U.S. volume, the most prominent academic blockchain lab, and the Ethereum core team have all been briefed that the threat is real and that the company recommends moving toward post-quantum cryptography (PQC) now.
"The migration timeline we've introduced is 2029. That's not a scare date. It's the planning horizon for communities with vulnerable key infrastructure to begin serious cryptographic transitions."
Google Research, "Safeguarding cryptocurrency by disclosing quantum vulnerabilities responsibly," March 31, 2026 — Times of India
The use of responsible-disclosure language is significant. Google is treating this the way the security community treats a zero-day: publish it before someone else exploits it, give the affected parties time to patch, and document the timeline publicly so there's accountability. The implication is that Google believes CRQC capability will exist within a planning-relevant horizon, not as a remote hypothetical.
What Actually Breaks, and What Doesn't (Yet)
Not all crypto is equally exposed. The distinction matters a great deal for how urgently different parts of the ecosystem need to move.
Elliptic-curve cryptography, specifically ECDSA and the secp256k1 curve used by Bitcoin and Ethereum, protects the connection between a wallet's public key and its private key. When you publish a transaction, your public key becomes visible on-chain. A sufficiently capable quantum computer running Shor's algorithm could derive the private key from that public key. That's the attack vector.
The key exposure problem: Bitcoin addresses that have been used to send transactions have already exposed their public keys on the blockchain. Addresses that have only received funds and never spent have not. Estimates vary, but a significant fraction of existing Bitcoin supply sits in "reused" or already-spent addresses, making those coins potentially vulnerable the moment a capable CRQC exists.
What quantum computers don't immediately threaten is the proof-of-work mining process itself, which relies on hash functions rather than elliptic curves. Grover's algorithm does offer a quadratic speedup against hash functions, but the practical impact is equivalent to halving the effective bit security, not eliminating it. SHA-256 and similar hashing constructions are considered quantum-resistant enough for the near term with appropriate parameter increases.
The real near-term risk isn't "all crypto breaks tomorrow." It's more specific and more insidious: dormant wallets, reused addresses, and any public key that's been broadcast on a public chain become increasingly attractive targets as CRQC capability improves incrementally. Attackers don't need to crack everything. They need to crack the highest-value exposed keys, and they can be patient while hardware improves.
| Asset / Protocol | Primary Vulnerability | Quantum Attack Vector | Urgency Level |
|---|---|---|---|
| Bitcoin (used addresses) | Exposed public keys on-chain | Shor's algorithm vs. ECDLP-256 | High |
| Ethereum wallets | ECDSA key pairs | Shor's algorithm vs. ECDLP-256 | High |
| Bitcoin (unused addresses) | Hash-protected until first spend | Grover's algorithm (limited) | Medium |
| SHA-256 mining | Hash functions | Grover's algorithm (quadratic speedup only) | Low near-term |
| TLS / Exchange infrastructure | Public-key encryption in transit | Shor's algorithm vs. RSA/ECC | High (NIST PQC standards available) |
$158 Billion in Illicit Flows: The Security Problem That Already Exists
Before the quantum discussion even begins, the crypto ecosystem has a security problem that dwarfs any single exchange hack. TRM Labs' 2026 Crypto Crime Report, published January 28, 2026, put illicit incoming value to illicit entities at $158 billion for 2025. That figure uses an incoming-liquidity methodology, not the narrower "directly criminal" framing some prior reports have used.
The breakdown is striking. Illicit entities captured 2.7% of incoming VASP (Virtual Asset Service Provider) liquidity in 2025, down from 2.9% the year before and from 6.0% in 2023. The trend is improvement. But 2.7% of a very large number is still a very large number. Sanctions-related flows were dominated by Russia-linked activity, including a ruble-pegged stablecoin called A7A5 that TRM says recorded over $72 billion in total volume.
Hacks accounted for $2.87 billion across nearly 150 incidents. One event, the Bybit breach, accounted for $1.46 billion of that total, making it the largest single crypto theft on record. All of those hacks used conventional attack vectors: social engineering, private-key compromise, smart-contract exploits. None required quantum hardware. The industry's classical security posture is already under severe pressure.
Why this matters for quantum planning: An ecosystem that can't defend against classical threats has even less capacity to absorb a cryptographic transition. PQC migration requires re-engineering wallet standards, exchange infrastructure, custody systems, and smart-contract key management simultaneously. The organizations that have already invested in security architecture will be far better positioned to execute that transition than those that haven't.
The compliance picture compounds this. Sanctions evasion at scale, concentrated in specific instruments like A7A5, is exactly the kind of pattern that draws regulatory attention. If quantum capability arrives before PQC standards are widely deployed, the same tools that nation-state actors are already using to move sanctioned value become dramatically harder to trace, since a quantum attacker could impersonate any wallet whose public key is already public.
The $2 Billion U.S. Bet That Accelerates Everything
The Commerce Department's May 21 announcement reframed the timeline conversation. Letters of intent for more than $2 billion in CHIPS Act incentives went to nine quantum computing firms, with IBM receiving $1 billion and GlobalFoundries $375 million. The remaining seven recipients, including Atom Computing, D-Wave, Infleqtion, PsiQuantum, Quantinuum, Rigetti, and Diraq, were each reported at $100 million or $38 million, though those specific figures should be treated as secondary-source reporting until official filings confirm them.
Equity stakes are involved. That's not a grant program, it's a strategic investment. The U.S. government is explicitly betting that domestic quantum capability will reach strategic relevance within a policy-relevant timeframe, and it's putting federal balance-sheet exposure behind that bet.
IBM
$1 billion CHIPS Act letter of intent. IBM's roadmap already targets fault-tolerant quantum systems within this decade.
GlobalFoundries
$375 million, focused on the semiconductor fabrication infrastructure that quantum hardware ultimately runs on.
PsiQuantum & Quantinuum
Among the $100M recipients. Both are pursuing photonic and trapped-ion architectures with distinct fault-tolerance approaches.
D-Wave & Rigetti
Earlier-stage commercially deployed systems. Federal backing suggests the government wants a broad hardware portfolio, not a single-architecture bet.
The nine-firm spread is deliberate. No single quantum architecture has won. Superconducting qubits, trapped ions, photonic systems, and neutral atoms all have different error profiles and scaling characteristics. By funding all of them, the federal government is hedging against architectural bets while accelerating the overall field. The result is that competition among hardware approaches will intensify, and the timeline to CRQC capability becomes harder to predict, not easier.
For the crypto industry, that unpredictability is itself a risk. The 2029 migration window that Google named is a planning date, not a threat date. No one knows exactly when a cryptographically capable machine will exist. What the funding announcement confirms is that major nation-states are actively trying to build one, and doing so with resources that private quantum startups alone couldn't match.
The Post-Quantum Migration: What It Actually Requires
The National Institute of Standards and Technology finalized its first PQC standards in 2024, providing the cryptographic primitives that blockchain developers can theoretically migrate toward. The word "theoretically" is doing a lot of work in that sentence.
Moving a live blockchain to new cryptographic standards isn't a software patch. It requires replacing the signature scheme used to authorize every transaction, migrating existing wallet key pairs, updating smart-contract logic that relies on address verification, and ensuring that the migration itself doesn't introduce a window during which both old and new schemes are simultaneously valid and therefore exploitable.
The Exposed-Key Problem Has No Perfect Solution
For wallets that have already exposed their public keys, there's no retroactive fix. The public key is on-chain permanently. The options are: move funds to a fresh address that uses a quantum-resistant scheme before a CRQC exists, or accept that those funds are permanently at risk once the hardware threshold is crossed. That's a coordination problem at civilizational scale, requiring millions of individual wallet holders to take action during a window that has no precise end date.
Ethereum Has the Clearest Path Forward
The Ethereum Foundation's inclusion in Google's coordinated disclosure suggests the protocol is already planning. Ethereum's account-abstraction roadmap, combined with its history of hard-forking to address security issues, gives it more institutional flexibility than Bitcoin's more conservative governance model. That doesn't mean Ethereum will move fast, but it does mean the governance pathway exists.
Bitcoin's situation is more complicated. The protocol's conservatism is a feature in most contexts. In this one, it means that a migration requiring a hard fork faces the same coordination challenges that have blocked other significant Bitcoin upgrades, amplified by the stakes involved.
Who Needs to Act Now, and What They Should Do
The migration burden isn't evenly distributed. Different actors face different timelines and different technical constraints.
- Exchanges and custodians hold keys on behalf of users and have the most concentrated exposure. They also have dedicated security and engineering teams. The priority is auditing what fraction of custodied assets sit in addresses with exposed public keys and beginning the migration of institutional wallets to quantum-resistant schemes as standards stabilize.
- Wallet developers need to ship PQC-compatible key generation and signing before hardware wallets and software wallets become the bottleneck. The NIST standards provide the baseline; the implementation work is real and non-trivial.
- L1 and L2 protocol teams need to begin governance processes for signature-scheme migrations now, even if execution is years away. Governance takes time. Hard forks take longer. Starting the conversation in 2029 is too late.
- Compliance teams need to understand that PQC migration isn't purely a cryptography problem. It intersects with sanctions enforcement, because a quantum attacker who can impersonate existing wallets can create attribution chaos in any subsequent investigation.
- Institutional investors with large on-chain positions should be evaluating custody providers on their PQC readiness as part of standard due diligence. A custodian with no migration plan is a security risk, not just a technical one.
Frequently Asked Questions
Can quantum computers break Bitcoin right now?
No. Current quantum hardware is nowhere near the scale required. Google's updated estimate requires fewer than 500,000 physical qubits on a fault-tolerant superconducting machine. The largest publicly known systems today operate at far lower scales and with much higher error rates. The threat is a planning-horizon risk, not an imminent one.
What is elliptic-curve cryptography and why does it matter for crypto?
Elliptic-curve cryptography (ECC) is the math that connects a crypto wallet's public and private keys. Bitcoin and Ethereum both use a specific curve called secp256k1. A quantum computer running Shor's algorithm could solve the underlying mathematical problem (ECDLP-256) fast enough to derive a private key from a public key, effectively stealing any wallet whose public key is visible.
What is post-quantum cryptography (PQC)?
Post-quantum cryptography refers to cryptographic algorithms believed to resist attacks from both classical and quantum computers. NIST finalized its first PQC standards in 2024, including lattice-based and hash-based schemes. These provide the building blocks for a blockchain migration, but the migration itself still requires significant protocol-level work.
When did Google say quantum computers will be able to break cryptocurrency?
Google's March 2026 whitepaper introduced 2029 as a migration planning horizon, not a confirmed threat date. The company said communities with vulnerable key infrastructure should begin PQC transitions now, using 2029 as the outer bound for planning purposes rather than predicting CRQC capability on a fixed date.
Are all crypto wallets equally at risk from quantum attacks?
No. Wallets that have already sent transactions have exposed their public keys on-chain and are more vulnerable. Wallets that have only received funds and never spent are protected by an additional hash layer. Moving funds to a fresh quantum-resistant address before a capable CRQC exists is the most straightforward mitigation for at-risk coins.
How much crypto is stolen each year, and is quantum hacking part of that?
TRM Labs reported $2.87 billion stolen across nearly 150 hacks in 2025. None of those hacks used quantum techniques. Current theft relies on classical attacks: social engineering, smart-contract exploits, and private-key compromise. Quantum attacks remain a future risk, not a present one.
What is the U.S. government's role in quantum computing investment?
The U.S. Commerce Department announced over $2 billion in CHIPS Act letters of intent for nine quantum firms in May 2026, including $1 billion for IBM. The investments include equity stakes, signaling that the federal government views quantum capability as strategically important and is backing the hardware race with national-security-level resources.
What should crypto holders do to protect themselves from quantum risk?
In the near term: move coins from reused or transaction-history addresses to fresh addresses, follow protocol upgrade announcements from Bitcoin and Ethereum for PQC migration plans, and choose custodians who can articulate a quantum-readiness roadmap. NIST's 2024 PQC standards are the reference framework for any serious migration effort.
What Comes Next: A Race Against an Uncertain Clock
The blockchain industry is entering a transition it can't opt out of. The cryptographic foundations of Bitcoin, Ethereum, and virtually every other chain were designed in a world where quantum hardware was a physics thought experiment. That world is ending. It isn't ending tomorrow, or next year, but Google's revised estimates and the scale of federal quantum investment both point to a timeline that demands planning decisions now, not at the moment the threat materializes.
The crime data makes the stakes visceral. An ecosystem handling $158 billion in annual illicit flows is not a system with slack in its security posture. The organizations that treat PQC migration as a background task will find themselves managing a cryptographic emergency at exactly the same moment their compliance teams are dealing with a resurgent threat environment. The organizations that start now will have options. The ones that wait won't.
Google's decision to coordinate this disclosure with Coinbase, the Ethereum Foundation, and the U.S. government is the most telling signal of all. This isn't a research curiosity anymore. It's an industry-wide planning document with a named deadline and named partners. The window is open. The question is who uses it.
