The Quantum Threat to CryptoRead more
Jul 7, 2026

The Quantum Threat to Crypto

Quantum computing’s threat to crypto is the risk the market has, for the most part, blissfully ignored. But cryptographers and security researchers keep warning that a large enough fault-tolerant quantum computer will be able to break the encryption protecting almost all wallets on every major blockchain that relies on elliptic-curve signatures.

Quantum computing’s threat to crypto is the risk the market has, for the most part, blissfully ignored. But cryptographers and security researchers keep warning that a large enough fault-tolerant quantum computer will be able to break the encryption protecting almost all wallets on every major blockchain that relies on elliptic-curve signatures. On the other hand, they can't seem to find common ground on when such a machine will exist or who’s prepared for it, and it's turned into quite the debate.

This page establishes the map to this conundrum. It covers what quantum can break, when it's likely to happen, how much money sits in the blast radius, and what holders and blockchains can do before time runs out.

What quantum computing breaks in crypto

Quantum computers threaten one specific kind of cryptography: the public-key kind. This means that the popular line that they "break ALL encryption" is a massive overstatement.

Shor's algorithm solves the math behind public-key cryptography, so RSA, Diffie-Hellman, ECDSA, and Schnorr all succumb to a machine large enough to run it. They're the schemes that sign your transactions and prove you own your crypto. Bitcoin and Ethereum both lean on ECDSA over the secp256k1 curve, so a working quantum attacker could forge a signature and move funds that aren't theirs.

Hashing takes a smaller hit. Grover's algorithm cuts SHA-256, the function behind Bitcoin mining and address generation, to about 128-bit security, which still stays far out of reach. AES-256 holds up the same way. So, Bitcoin's mining and ledger integrity are in much better shape security-wise than its signatures, and a modern hashed-key address like P2WPKH keeps your public key hidden until you spend. The danger is almost exclusively in the signature layer. 

When Q-Day arrives

Q-Day is the day when researchers believe a powerful quantum computer will be able to break ECDSA in practice. No one can name the exact date, but credible estimates run from an aggressive 2028 to a more mainstream 2035, with no consensus point in between.

Meanwhile, the estimates keep moving closer to the present. In March 2026, Google Quantum AI published a resource estimate that cut the cost of breaking secp256k1, under a specific set of hardware and error-correction assumptions, to fewer than 500,000 physical qubits - about a 20x drop from the prior best figure. Today's largest processors hold on the order of 1,000 physical qubits, so the divide is still enormous. The way it's closing is what should hold your attention.

06_crqc_timeline.png

Twelve months of compounding threat updates. Each milestone reduces the engineering bar for a cryptographically relevant quantum computer. Source: qLABS

Why the clock already started

You don't have to wait for Q-Day to be exposed today, which is the part that catches a lot of people off guard.

There's a tactic some malicious actors may use called 'harvest now, decrypt later', and it works a little differently for crypto than it does for encrypted data. In crypto's case, an attacker records an exposed public key today and forges its signature once a quantum computer exists, which only hurts if the assets still sit on that key when the machine arrives. 

A reused Bitcoin address or an old pay-to-public-key output is the classic target, as its key has been out in the open for years. 

How much money is at risk

A lot, and it's concentrated. We measure the quantum computing crypto exposure with our own L1 Quantum Vulnerability Index (qLVI, April 2026), and since qLABS builds quantum-safe products, we disclose our full methodology and conflicts of interest inside it. The index ranks the ten largest chains by market cap, over $2 trillion in combined value, and scores each one for quantum exposure on a scale where 0 is safe and 10 is maximum vulnerability. Every chain on the list scores above the midpoint.

Bitcoin tops the list at 8.33, the most exposed chain we measured. It's also the largest by far at about $1.51 trillion, close to three-quarters of the value across all ten chains. Bitcoin scores worst mainly because it's the oldest, with about 17 years of exposed keys and the top harvest-now-decrypt-later rating in our index. Hyperliquid follows at 7.90, with BNB Chain and Dogecoin just behind. Cardano lands at the safe end of the table, with its score of 5.60. 

Even the best-prepared chain we rank sits more than halfway up the scale, which tells you how early everyone is. Cardano still signs with Ed25519, which Shor's algorithm breaks like any other elliptic-curve scheme, and its post-quantum work is at the roadmap stage, planned for 2026. Ethereum sits at 6.80 and XRP at 6.30, and the latter is targeting a fix in 2028

01_qvli_ranking-2.png


Quantum Vulnerability Score by chain. Source: qLABS. Note: BNB Chain has published a quantum-migration roadmap after the L1 Quantum Vulnerability Index has been published. This is not reflected in the scoring. BNB Chain would score much lower in vulnerability today.

What fixes it

The cryptography is already in place. NIST finalized its first post-quantum standards in August 2024. ML-KEM handles key exchange, and ML-DSA and SLH-DSA handle signatures. A fourth, the signature scheme Falcon (FN-DSA), is expected as FIPS 206 around mid-2026. These have long moved from being mere experiments. They survived more than a decade of public cryptanalysis, and two of the earlier finalists got cut when researchers broke them.

Adoption is a different, more difficult story. A blockchain has to change the signature scheme on which its entire history depends. It also has to coordinate every validator and wallet, then move user funds without breaking anything and causing a chain reaction (pun intended). Coordinated migrations at this scale take years. Bitcoin still lacks a finalized migration path, and the proposals on the table have moved slowly.

In the meantime, holders don't have to wait for the chains to catch up. What you can do now is stop reusing addresses and keep long-term funds in addresses whose public keys have never been revealed on-chain. You can also add a post-quantum lock at the wallet level. That's what qVAULT.xyz does. It's a non-custodial vault that adds a Falcon (FN-DSA) lock on top of a standard wallet, so funds can't move on a broken ECDSA key alone. At launch, it protects $qONE and $HYPE on HyperEVM, with Ethereum and stablecoins planned, and it's audited by renowned blockchain security firm Fairyproof. 

The short version

All things considered, quantum computing’s threat to crypto comes down to breaking the signatures that authorize transactions, but the mining and hashing that secure the ledger will hold (for a time at least), as the fateful Q-Day lurks in the background, possibly to land somewhere around 2028 to 2035. At the same time, the cost of the attack keeps falling. Your wallet is probably exposed today through harvest now, decrypt later, and most of the risk sits on Bitcoin. The fix already exists in the NIST standards, though the migration work is what's lagging. Start with the chain you hold, and read the quantum vulnerability index to see where it ranks.

FAQ

How does quantum computing affect crypto?

Quantum computing breaks the public-key signatures that authorize cryptocurrency transactions on every major blockchain. The hashing and mining that secure the ledger stay safe, but exposed signatures on most chains will become forgeable once a sufficiently large quantum computer exists. The risk lands hardest on chains with long histories of exposed keys, like Bitcoin, Ethereum, and the rest of the top ten by market cap.

What can I do to protect my coins? 

Check out qVAULT.xyz, a non-custodial vault for crypto where you can store your crypto with an additional layer of post-quantum security, a product by qLABS. Starting with $qONE and $HYPE on HyperEVM, qVAULT.xyz will extend to more assets with time. If the asset you are holding is not supported yet, stop reusing addresses and keep long-term funds in wallets that never had any funds sent from them or any smart contract interaction. In this case, your public key will not be revealed, so the attack vector to decrypt your private key from it does not exist.

Can quantum computers steal Bitcoin right now? 

No. There’s currently no such machine that’s close to the scale needed. Nonetheless, it's a future risk you prepare for today, because exposed keys recorded now can be cracked later.

Does quantum computing break the blockchain itself? 

No. Quantum computing breaks the signatures that authorize transactions. The mining and hashing that secure the ledger stay safe, since Grover's algorithm only cuts SHA-256 to about 128-bit security, and that’s still far out of reach.

Which crypto is safest from quantum attacks? 

Cardano is the least vulnerable chain on our index at 5.60, and Bitcoin is the most vulnerable at 8.33. Even the safest score sits well above zero, so no chain is quantum-safe today. The full ranking is available at the L1 Quantum Vulnerability Index.

qLABS Editorial. Sources are linked inline. See the L1 Quantum Vulnerability Index for our full methodology and conflict-of-interest disclosure.