Nine Minutes
Google can break Bitcoin's encryption in 9 minutes. I ran 636 earnings calls to find out who's preparing and who's pretending.
On February 5, 2026, on Strategy’s Q4 2025 earnings call, Michael Saylor devoted an entire slide to quantum computing. He called it “the concern du jour.” He compared premature preparation to “over-vaccinating.” He quoted The Hitchhiker’s Guide to the Galaxy: “Don’t panic.”
Then, buried in the middle of his dismissal, he announced a “Bitcoin Security Program” to coordinate with the global cybersecurity community on quantum-resistant solutions.
On March 31, 2026, Google Quantum AI published a paper demonstrating that a superconducting quantum computer with fewer than 500,000 physical qubits can derive a Bitcoin private key from a public key in approximately 9 minutes. The paper was co-authored by Justin Drake of the Ethereum Foundation and Dan Boneh of Stanford, the cryptographer who co-created BLS signatures (Boneh-Lynn-Shacham), the same signatures that secure Ethereum’s proof-of-stake consensus.
Strategy (formerly MicroStrategy) holds over 762,000 BTC. At current prices, that is over $52 billion sitting in wallets secured by the same elliptic curve cryptography that Google just showed can be broken in under 10 minutes.
This is not a theoretical risk on a distant timeline. Google’s own internal deadline for migrating its systems to post-quantum cryptography is 2029. NIST will disallow the current standard by 2035. Scott Aaronson, one of the world’s leading quantum computing scientists, called a cryptographically relevant quantum computer “a live possibility before the next US presidential election.” The expert consensus has moved from the 2050s to the early 2030s. Every revision moves the date closer. None have moved it further away.
There are 6.9 million BTC with exposed public keys on the blockchain right now, roughly $470 billion at current prices. They cannot be moved to safety without their owners taking action. And Bitcoin’s migration to quantum-resistant cryptography has not started. The minimum estimate for that migration is seven years. If the experts are right about the timeline, Bitcoin needed to start in 2022.
I wanted to understand who was preparing and who was pretending. So I ran 636 earnings transcripts, every public company with quantum or crypto exposure, through TonalityIQ, a system we built to analyze the language patterns in earnings calls. It measures the gap between what CEOs say and what the data supports. It detected Apple’s AI confidence peak one quarter before the Siri delays and 20% drawdown. It flagged Peloton before the 17% move. It identified private credit stress before seven platforms gated over $100 billion.
Saylor’s language pattern is the most alarming thing I found.
---
In March, I published an analysis of Peloton at $4, a company generating $345 million in free cash flow that the market was pricing for bankruptcy. The stock moved 17% in a day. The thesis worked because the market ignored the cash flow statement. The structure was right there. Nobody looked.
This piece is about the gap between the companies building quantum computers and the companies holding billions in assets that quantum computers will break. Over $52 billion in Bitcoin secured by a signature scheme that Google just showed can be cracked in 9 minutes. The builders talk about it constantly. The holders barely mention it. That gap is not just an observation. It’s a trade.
Here is what I will show you. First, how the attack actually works, and why Bitcoin’s design makes it uniquely vulnerable. Second, who is exposed: $52 billion at Strategy, $60 billion at Coinbase, $470 billion in wallets with exposed public keys, and the pension funds and ETFs connected to all of them. Third, which blockchains are migrating and which are not. Fourth, why Bitcoin cannot upgrade fast enough, and what that means for every holder. And fifth, what I am doing about it.
Saylor’s language on the Q4 call (maximum conviction, minimum constraint) is a signature we call Terminal Confidence. Across the 636 companies in our dataset, this linguistic pattern has historically preceded negative forward returns. It doesn’t mean the CEO is wrong. It means the CEO is more confident than the facts warrant.
Saylor isn’t stupid. He knows quantum is a threat. That’s why he launched the Bitcoin Security Program on the same call where he told everyone not to worry about it. He’s managing two audiences: the retail holders who need to hear “don’t panic,” and the institutions who need to see that he’s taking action. The problem is that the action is a coordination program, not a migration. And the Google paper says the clock is already running.
---
The 9-minute attack.
Previous estimates required approximately 9 million physical qubits to break Bitcoin’s secp256k1 curve (Litinski, 2023). Google’s new compilation brings that down to fewer than 500,000, roughly a 20x reduction. They published two circuit variants: one using 1,200 logical qubits with 90 million Toffoli gates, another using 1,450 logical qubits with 70 million Toffoli gates. On standard superconducting hardware with planar connectivity and 10^-3 physical error rates, those circuits execute in minutes.
A superconducting quantum computer running Shor’s algorithm can derive a private key from a public key in approximately 9 minutes. Bitcoin’s average block time is 10 minutes. The attack window exists.
The first half of the algorithm can be precomputed: the machine sits in a “primed” state, waiting for a public key to appear in the mempool. Once a transaction is broadcast, the clock starts. Nine minutes later, the attacker has your private key. They broadcast a competing transaction with a higher fee. Your Bitcoin goes to them.
Google calls this an “on-spend” attack. The success probability against Bitcoin’s 10-minute block time is approximately 41%.
Against Litecoin (2.5-minute blocks): 3%. Against Zcash (75-second blocks): less than 0.08%. Against Dogecoin (1-minute blocks): less than 0.01%.
Bitcoin’s long block time, the feature that was supposed to make it secure and deliberate, is now its greatest vulnerability. Dogecoin, of all things, is more quantum-resistant than Bitcoin.
But not all quantum computers are created equal. And this distinction matters enormously for what happens next.
---
Fast clock versus slow clock.
The Google paper introduces a critical distinction that most commentary has missed. Not all quantum computers can execute the 9-minute attack. Only “fast-clock” architectures (superconducting qubits, photonic systems, and silicon spin qubits) have gate speeds fast enough to break a key before a Bitcoin block is mined.
Superconducting qubits operate with gate speeds of 10 to 50 nanoseconds and coherence times of roughly 100 microseconds. They are sprinters. They can execute Shor’s algorithm in minutes.
Google’s Willow chip, unveiled in December 2024, is a 105-qubit superconducting processor that achieved what researchers had pursued for 30 years: below-threshold error correction. Previous quantum systems got worse as you added more qubits; errors compounded faster than correction could fix them. Willow proved the opposite. As Google scaled from 3x3 to 5x5 to 7x7 qubit arrays, the logical error rate decreased exponentially. Every additional qubit made the system better, not worse. CEO Sundar Pichai called it “cracking a 30-year challenge.” The benchmark computation Willow completed in under 5 minutes would take the Frontier supercomputer, one of the world’s fastest, approximately 10 septillion years. That number is meaningless in practical terms. What matters is that Google proved you can buy reliability with more qubits. The engineering barrier that kept quantum computers from scaling is gone.
IBM’s Heron processors and Rigetti’s modular chiplet systems are also superconducting. If any of these labs scales to 500,000 physical qubits (which Google’s own roadmap targets by the end of the decade) they can do on-spend attacks: intercepting your transaction in the mempool, deriving your private key, and redirecting your Bitcoin before the block is mined.
Trapped-ion qubits, the technology behind IonQ and Honeywell’s Quantinuum, operate with gate speeds of 1.6 to 50 microseconds. That is 1,000 to 5,000 times slower than superconducting. Their coherence times are extraordinary (up to 50 seconds, which is 500,000 times longer than superconducting) but the slow gate speed means they cannot execute Shor’s algorithm within Bitcoin’s block time. They are marathon runners. They can crack dormant wallets given hours or days, but they cannot intercept live transactions.
Neutral atom systems (Infleqtion, QuEra, Atom Computing, Pasqal) are even slower. Cycle times measured in milliseconds. Excellent scalability in theory, but the same limitation: at-rest attacks only.
This distinction is not academic. It determines which companies are actually building the weapon that threatens active Bitcoin transactions, and which are building slower machines that can only threaten dormant wallets.
Google, IBM, and Rigetti are building fast-clock systems. They are the existential threat.
IonQ has the largest market cap among quantum pure-plays at roughly $10 billion on $80 million in trailing revenue. But ion trap is slow-clock. It cannot do on-spend attacks. At 125 times revenue, the market is pricing IonQ as if it’s the same threat as superconducting. It isn’t.
D-Wave is trading at roughly $5 billion on $24 million in revenue. D-Wave uses quantum annealing, a fundamentally different approach that cannot run Shor’s algorithm at all. It is not a cryptographically relevant quantum computer. It never will be. At 200 times revenue, the market is pricing D-Wave as if it can break encryption. It cannot.
This matters because retail investors are piling into quantum stocks without understanding the distinction. When CNBC runs a segment on “quantum computing stocks,” they show IONQ, D-Wave, and Rigetti in the same breath. One of those three uses the right architecture (Rigetti, superconducting). One uses the right physics but is too slow (IonQ, ion trap). And one can’t run the relevant algorithm at all (D-Wave, annealing). The market treats them as interchangeable. They are not. Buying D-Wave for quantum encryption exposure is like buying a diesel truck because you heard electric vehicles are the future. The word “quantum” is doing all the work. The technology is doing none of it.
This is the same illusion of diversification I found in the private credit market, where investors owned GBDC and GSBD thinking they had two different funds and actually had the same portfolio twice. In quantum, investors own IONQ and QBTS thinking they have two different quantum bets and actually have one slow-clock machine that can’t do on-spend attacks and one annealing machine that can’t run Shor’s at all. Different tickers. Same misunderstanding.
When Saylor says quantum is “10 or more years away,” he may be right about slow-clock systems. But the Google paper is about fast-clock superconducting systems. And Google’s internal PQC migration deadline is 2029.
---
That is how the attack works. Now let me show you why you are already exposed, even if Q-Day is years away.
They’re already recording your transactions.
There is a threat model that doesn’t require waiting for Q-Day at all. It’s called “harvest now, decrypt later,” and every major intelligence agency in the world formally acknowledges it as an active operation.
The concept is straightforward. An adversary intercepts and stores encrypted data today, with the explicit intent to decrypt it once a quantum computer capable of breaking the encryption becomes available. The data sits in cold storage (years, decades) waiting for the machine that can open it.
The U.S. Department of Homeland Security, the NSA, the UK’s National Cyber Security Centre, the European Union Agency for Cybersecurity, and the Australian Cyber Security Centre all base their post-quantum transition guidance on the assumption that harvest-now-decrypt-later operations are currently underway. The Federal Reserve published a formal research paper examining this exact threat model applied to distributed ledger networks.
Bitcoin makes this trivially easy. Every transaction broadcasts the sender’s public key to the network. The entire blockchain is a public ledger. An adversary doesn’t need to intercept anything; the data is already there, permanently recorded, waiting. The 6.9 million BTC with exposed public keys aren’t just vulnerable to a future quantum computer. They’re already catalogued. The attack surface is frozen in time.
Nobody is confirming specific state-level harvesting operations. But when all five major Western cybersecurity agencies design their transition mandates around the assumption that it’s happening, the absence of confirmation is not the same as the absence of activity.
The Venona precedent suggests how long these operations stay secret. From 1943 to 1980, the U.S. Army Signal Intelligence Service ran a 37-year program to decrypt Soviet communications. Knowledge was compartmentalized so tightly that the CIA wasn’t read in for 9 years. The Army Chief of Staff explicitly denied President Truman direct knowledge of the program, fearing White House leaks. The full texts weren’t declassified until 1995, 52 years after the program began.
If the U.S. government could keep a cryptographic capability secret from its own president for decades, the idea that a quantum breakthrough could exist today without public knowledge is not paranoia. It’s historical pattern recognition.
The self-censorship has already started in the quantum community. The Google paper itself is evidence of this. Google did not publish the quantum circuits that break secp256k1. They published the resource estimates (how many qubits, how many gates, how many minutes) and then validated those estimates using a zero-knowledge proof. A ZK proof lets you verify that someone has a valid solution without seeing the solution itself. Google is telling the world how close the threat is while deliberately withholding the blueprint.
Alex Pruden described it on the podcast: “The scientists are already self-censoring. If you read the papers, there are papers that would be published. They’re not being published. Because they’re concerned that maybe China is going to get their hands on it.” When the researchers stop publishing, it doesn’t mean progress has stopped. It means progress has entered the phase where the implications are too dangerous to share openly.
This is the equivalent of Leo Szilard patenting the nuclear chain reaction in 1934 and assigning the patent to the British Admiralty to keep it secret. The physics was known. The engineering was close. The publication stopped because the stakes had changed. We are at that point with quantum cryptanalysis. The physics is known. The engineering is scaling. The papers are getting quieter.
---
$52 billion in ECDSA wallets.
Strategy’s 762,000+ BTC sit in wallets secured by ECDSA signatures on the secp256k1 curve. Saylor has not disclosed what address types his coins are in, whether public keys have been reused, or what percentage is in quantum-vulnerable formats.
He is not alone in this exposure.
The Google paper identifies 6.9 million BTC, roughly $600 billion, in addresses with exposed public keys. These coins are vulnerable to at-rest attacks right now, without any quantum computer needed to be built first. The data is already on-chain. The public keys are already known. All that’s missing is the machine.
Project 11 tracks this exposure in real time. Their number: 4.8 million BTC exposed through address reuse alone, plus 1.7 million in legacy P2PK addresses from Bitcoin’s earliest days, including approximately 1 million coins believed to belong to Satoshi.
Taproot, Bitcoin’s most recent upgrade from 2021, made things worse. P2TR addresses re-expose public keys directly in the locking script, a design choice that traded quantum security for transaction flexibility. Nic Carter calls it bluntly: “Taproot was a mistake.” P2TR represented 21.68 percent of all Bitcoin transactions in 2025. Every one of those transactions created a new quantum-vulnerable output.
Nic Carter puts the systemic risk starkly: “Your coins might be safe, but the dollar value is going to maybe one cent because someone market sold Satoshi’s bitcoins.”
We have a precedent for what happens when early Bitcoin moves unexpectedly. In May 2020, 50 BTC from an address mined in February 2009, one month after Bitcoin’s genesis block, suddenly moved after 11 years of dormancy. Bitcoin’s price dropped 5 percent within hours. Fifty coins. Five percent.
Satoshi’s estimated holdings are approximately 1 million BTC across roughly 20,000 addresses. If a quantum attacker moved even a fraction of those, the market response would not be a 5 percent dip. It would be an existential confidence crisis.
Binance’s largest cold wallet, address 34xp4vRoCGJym3xR7yCVPFHoCNxv4Twseo, holds approximately 248,000 BTC. If Binance has ever spent from that address, the public key is exposed on-chain and vulnerable to at-rest attack. That is one wallet at one exchange.
Even if Saylor’s wallets are perfectly hygienic (hashed addresses, no reuse) the systemic risk remains. If Q-Day arrives before Bitcoin migrates, confidence collapses regardless of individual wallet security. This is the part Saylor isn’t telling his shareholders.
And then there’s Coinbase.
Brian Armstrong mentioned quantum exactly once on his Q4 call, dismissing it as “Monday morning quarterbacking.” His exact words: “There’s a lot of Monday morning quarterbacking happening where people will look backwards and say, ‘Oh, it must be because of Kevin Warsh is an inflation hawk or quantum computing is on the horizon or something.’ And I actually don’t think this market correction is that connected to any fundamentals.”
Coinbase is the primary custodian for BlackRock’s IBIT (~$55-63 billion in Bitcoin) and ETHA (~$6-7 billion in Ethereum). Anchorage Digital was added as a secondary custodian in April 2025. The CEO of the company securing over $60 billion in crypto assets for the world’s largest asset manager publicly dismisses quantum risk as market noise.
Riot Platforms: zero quantum mentions across all available transcripts. The largest US Bitcoin miner has never discussed quantum risk on an earnings call.
BlackRock: zero mentions in 80 transcripts going back to 2007. The company that brought institutional Bitcoin to the masses through IBIT has never said the word “quantum” on an earnings call.
Insurance companies have noticed what these executives haven’t. Crypto custody policies from major insurers cover theft, hacking, and operational failures, but the underlying cryptographic assumptions are treated as given. No major insurer is pricing the risk that the signature scheme itself breaks. The policies protect you against someone stealing your key. They don’t protect you against someone computing it.
The SEC has not required quantum risk disclosure for crypto ETFs or custodians. The Post-Quantum Cybersecurity Standards Act (H.R. 3259) is in Congress but not finalized. There is no regulatory forcing function. The companies most exposed are choosing silence.
Consider what a responsible custodian would be doing right now. They would be inventorying every address type in their custody infrastructure, identifying which wallets use P2PKH, which use P2WPKH, which use P2TR. They would be eliminating address reuse across all customer accounts. They would be testing post-quantum signature schemes in a sandbox environment. They would be publishing a PQC migration roadmap with dates, milestones, and a signature scheme selection. They would be coordinating with NIST, with the Bitcoin Core developers, with the Ethereum Foundation’s PQ team.
Coinbase has done none of this publicly. Neither has Fidelity Digital Assets, which custodies FBTC. Neither has BitGo, which custodies for dozens of institutional clients. The companies that hold the most Bitcoin on behalf of the most investors have published zero PQC roadmaps, zero migration plans, and zero disclosures about the quantum vulnerability of their custody architecture.
Google has a PQC migration deadline of 2029 for its own systems. Cloudflare has deployed PQC in TLS. Signal uses post-quantum key exchange. Apple is implementing PQC in iMessage. The companies that move your data are already migrating. The companies that hold your money are not.
---
Ethereum’s five attack vectors.
Ethereum’s exposure is different from Bitcoin’s but arguably worse. The Google paper identifies five distinct quantum vulnerabilities, more than any other blockchain analyzed.
Account vulnerability. Ethereum maintains persistent accounts, unlike Bitcoin’s UTXO model. The top 1,000 Ethereum accounts hold 20.5 million ETH with exposed public keys. One quantum computer could crack all of them in less than 9 days. Once an Ethereum account initiates its first transaction, its public key is permanently exposed. There is no way to rotate keys without abandoning the account entirely, along with its DeFi positions, governance history, and on-chain identity.
Admin vulnerability. Smart contract admin keys controlling 2.5 million ETH and over $200 billion in stablecoins and tokenized real-world assets, including USDT and USDC, are exposed on-chain. These admin keys can pause contracts, upgrade logic, mint tokens, and freeze accounts. A quantum attacker who derives an admin key doesn’t just steal funds; they take control of the entire protocol. This is how you collapse a stablecoin peg: mint unlimited tokens from a compromised admin key and watch the market lose confidence in the backing.
Code vulnerability. 15 million ETH is locked in Layer 2 protocols (Arbitrum, Base, Optimism) that use quantum-vulnerable zkSNARKs for validity proofs. If the underlying pairing-based cryptography is broken, an attacker can forge validity proofs and convince the L1 chain that fraudulent L2 transactions are legitimate. The exception is Starknet, which uses hash-based zkSTARKs believed to be quantum-resistant.
Consensus vulnerability. 37 million staked ETH is secured by BLS signatures on the BLS12-381 curve. These signatures enable Ethereum’s proof-of-stake validators to aggregate thousands of attestations efficiently. Google’s paper notes that while BLS12-381 requires a somewhat larger quantum computer than secp256k1 due to the 381-bit coordinate size, the cost increase is modest. A quantum attacker who compromises one-third of validators can halt finality. Two-thirds gives them full chain control. With roughly one million validators and 9 minutes per key derivation, an attacker with 20 fast-clock machines would need more than nine months to crack a supermajority. Safety in numbers, but numbers that shrink as machines get faster.
Data availability vulnerability. This is the most insidious. Ethereum’s Data Availability Sampling mechanism uses KZG polynomial commitments on the BLS12-381 curve. The KZG scheme depends on a trusted setup ceremony that generated a secret scalar, the “toxic waste,” which was supposed to be destroyed. A quantum computer can recover this scalar from the public parameters. Once recovered, the attacker has a permanent, reusable classical exploit. No quantum computer needed after that first break. They can forge data availability proofs indefinitely, on a laptop, forever. This is what the Google paper calls an “on-setup” attack. Break it once, exploit it forever.
To be clear: Ethereum also runs on ECDSA today. Every chain using elliptic curves is vulnerable. The difference is that Ethereum has a roadmap and a team executing on it. Bitcoin does not.
---
Bitcoin cannot upgrade fast enough.
This is the part of the story that should concern every Bitcoin holder more than the quantum physics.
Bitcoin’s last two protocol upgrades were SegWit and Taproot. SegWit was first proposed in 2015 and activated in August 2017, but the full conception-to-industry-adoption timeline was approximately 8.5 years. Taproot was proposed in January 2020 and activated in November 2021, but traced back to earlier research, making the full timeline roughly 7.5 years.
A post-quantum cryptographic migration would be more complex than either. It requires choosing a signature scheme (hash-based, lattice-based, or both), implementing it in Bitcoin Core, testing extensively, achieving miner consensus, and then migrating all 55 million addresses on the network. Every individual holder must move their coins from old addresses to new quantum-safe addresses. Any coins left behind in old formats become permanently vulnerable.
The Chaincode Labs estimate for this process: 7 years minimum. Compressed timelines introduce risk; rushed migrations break things.
Consider what “7 years minimum” means in practice. The SegWit upgrade was a soft fork: it tightened the rules, so any miner running old software would still accept blocks from updated miners. Even so, it triggered a civil war in the Bitcoin community that lasted two years and culminated in the August 2017 hard fork that created Bitcoin Cash. The fight was over block size, a 4x increase from 1 MB to 4 MB. The community literally split the network over 3 megabytes.
A PQC migration is harder than SegWit. It requires changing the fundamental signature scheme that every wallet, every exchange, every hardware device, every Lightning channel, and every custodian uses. Current ECDSA signatures are roughly 70 bytes. NIST-standardized PQC signatures are several kilobytes, 20 to 40 times larger. Swapping them in without increasing block size would reduce Bitcoin’s transaction throughput by roughly half. The block size debate that split Bitcoin in 2017 would reignite with existential stakes.
There is a hybrid approach. Taproot’s script-path flexibility allows adding a hash-based PQC signature (like SLH-DSA) as a hidden spending path. When you create a Taproot output, you commit to two spend paths: a normal Schnorr key-path and a PQC script-path. This is backwards compatible until activation. But it has a critical flaw: any UTXOs created before the upgrade, or wallets that opt out, become frozen and unspendable once PQC checks are enforced. The migration is not just a software update. It is 55 million individual decisions by 55 million individual holders. There is no admin who can flip a switch.
Banks have a CISO. One person. One database. One decision. Bitcoin is a database collectively managed by tens of millions of people. Nic Carter said on the podcast: “There’s no one that can flip the switch for us. We have to do it.”
BIP 360, which was merged into the BIP repository on February 11, 2026 (though a merge does not signal endorsement or activation) is a step, but only a step. It introduces Pay-to-Merkle-Root (P2MR) addresses that remove Taproot’s quantum-vulnerable key path spend. BTQ Technologies deployed the first functional implementation on Bitcoin’s quantum testnet on March 20. This patches the Taproot regression but does not add post-quantum signatures to Bitcoin. It’s a bandage, not a cure.
The federal government is moving faster than Bitcoin. NIST published its first PQC standards in August 2024. The NSA’s CNSA 2.0 requires all new National Security Systems to adopt quantum-resistant solutions by 2027. The FIPS 140-2 standard sunsets on September 21, 2026, after which only FIPS 140-3 validated modules are approved for federal procurement. Google is already deploying PQC in Android 17. Cloudflare has PQC in TLS by default. Signal uses PQXDH (post-quantum extended Diffie-Hellman) for encrypted messaging.
If Google’s internal timeline is right and Q-Day is 2029, Bitcoin needed to start this migration in 2022. It didn’t. BIP 360 just merged. The spec isn’t written. The testing hasn’t started. The consensus doesn’t exist. The migration timeline starts at zero.
Nic Carter, who openly holds Bitcoin and dislikes Ethereum, said on the podcast: “Bitcoin is the worst off of all the blockchains by far. The developers haven’t made any changes to Bitcoin since Taproot 2021. Whatever they’re doing is clearly not very important.”
Alex Pruden added: “If you’re betting your entire life savings on this, I don’t think the answer is good enough that ‘people are working on it and it will all be fine.’ The answer is it may all be fine, but let’s do the research. Let’s start now.”
---
Who’s preparing and who isn’t.
I searched 636 earnings transcripts for mentions of quantum computing, post-quantum cryptography, and Shor’s algorithm. The results split cleanly.
