On June 9, 2026, Google announced a new quantum computing milestone — its Willow successor chip demonstrated error-corrected logical qubits operating below the surface-code threshold for sustained periods. The headline ran in mainstream tech press the same day. Almost immediately, Bitcoin holders started searching whether their wallets were now at risk.
The answer is: no, not yet. But "not yet" deserves an honest explanation, because the eventual quantum threat to Bitcoin is real, the timeline keeps shortening, and the mitigations are knowable in 2026 — not a problem you discover the day after a breakthrough.
This piece walks through what the June 2026 quantum milestone actually was, where quantum computing sits today relative to the threshold that would matter for Bitcoin, what changes if and when a sufficiently capable quantum computer is built, and what hardware-wallet holders can do now to stay ahead of the curve.
Google's announcement reported sustained operation of logical qubits — qubits that combine multiple physical qubits with error correction to function as a single, more reliable computational unit. The previous Willow generation (announced December 2024) demonstrated that error rates could be reduced as more qubits were added. The June 2026 update extends that result to longer time horizons, suggesting the path to a fault-tolerant quantum computer is technically clearer than it was 18 months ago.
This is real engineering progress. It doesn't, by itself, threaten Bitcoin or any current cryptography.
The reason: cryptographically relevant quantum computing requires millions of physical qubits operating coherently for the duration of a computation. Current systems operate around 1,000 physical qubits. The error correction overhead means you need roughly 1,000 physical qubits per logical qubit for cryptographically relevant tasks. Breaking ECDSA (the elliptic-curve signature scheme Bitcoin uses) is estimated to require approximately 2,500 logical qubits, which translates to roughly 2.5 million physical qubits at current error rates.
The gap between 1,000 physical qubits today and 2.5 million required for the attack is large. Closing it is plausible over a 10-20 year horizon, but the timeline is genuinely uncertain.
Three numbers worth knowing:
ECDSA-breaking requires ~2.5M physical qubits. Based on current estimates of the resource requirements for Shor's algorithm at Bitcoin's elliptic curve parameters (secp256k1).
Current state-of-the-art is ~1,000 physical qubits. IBM's roadmap targets 100,000 physical qubits by 2033. Google hasn't published comparable targets but is in a similar range.
The timeline depends on error correction breakthroughs that haven't happened yet. Each major advance (December 2024 Willow, June 2026 successor) compresses the timeline modestly but doesn't change the fundamental scaling requirement.
The honest read is that a quantum computer capable of breaking Bitcoin's signature scheme is unlikely before 2035 at the earliest, with serious risk emerging in the 2040s. Could be earlier if breakthroughs accelerate; could be later if scaling proves harder than current projections.
The Bitcoin protocol uses ECDSA for signing transactions. A sufficiently capable quantum computer could recover the private key from a public key — but only for addresses where the public key has been exposed on-chain.
At risk: addresses with exposed public keys. Any address that has sent a transaction has revealed its public key. Approximately 4 million BTC are in such addresses, including a large share of Satoshi-era coins (which used the older P2PK address format that exposes the public key from genesis).
Not at risk: addresses that have only received. Modern Bitcoin addresses (P2PKH, P2WPKH, P2TR) only expose a hash of the public key on-chain until a transaction is signed. The hash is quantum-resistant; the public key isn't.
The mitigation: never re-use addresses. A holder who receives funds at an address, then spends all of them to a new address in a single transaction, never has funds sitting at an exposed public key. This is the default behavior of modern hardware wallets and Bitcoin Core.
The protocol-level fix: post-quantum signatures. The Bitcoin protocol can be soft-forked to support post-quantum signature schemes (Falcon, Dilithium, SPHINCS+) before quantum computers become a threat. The technical research is mature; the social coordination of a soft-fork is the harder part.
Four practical steps, all available with current devices.
Use a wallet that defaults to fresh addresses. Most modern hardware wallets (Ledger, Trezor, Ryder One) generate a new receive address every time. This means no funds sit at a previously-exposed public key.
Sweep old addresses to new ones. If you have funds at an older address that has previously sent transactions, sweep the full balance to a fresh address. This removes the quantum-vulnerable exposure.
Avoid P2PK addresses entirely. P2PK was used in Bitcoin's earliest blocks. Modern wallets don't generate these. If you somehow have funds at a P2PK address (mining rewards from 2010-2011), move them.
Monitor protocol-level developments. When the Bitcoin community begins serious BIP discussions for post-quantum signatures, the timeline for the threat is closer than current estimates suggest. As of mid-2026, no such discussions are urgent.
The quantum threat to Bitcoin is real but not immediate. A 10-15 year horizon for the threshold quantum capability gives the Bitcoin protocol enough time to soft-fork to post-quantum signatures before any practical attack becomes feasible. Holders using modern wallets with fresh-address generation are already mitigating the largest current exposure.
For a holder thinking about a 10+ year Bitcoin position, quantum is a tail risk to watch, not a near-term emergency. The biggest current risks remain operational (lost backups, phishing, exchange failure) rather than cryptographic.
Ryder One generates a fresh receive address for every transaction by default, meaning no funds sit at an exposed public key. The EAL6+ Infineon SLC38 secure element handles signing offline, with every transaction verified on the device's 1.6-inch AMOLED touchscreen. The wallet's firmware is signed and updatable, so when the Bitcoin protocol does soft-fork to post-quantum signatures, devices can update to support the new signature scheme.
TapSafe Recovery handles the backup so the long-term position remains durable through whatever protocol transitions happen over the next decade.
Quantum computing has gotten closer to the threshold that would matter for Bitcoin, but the gap remains large. Current systems are roughly 2,500x too small to break Bitcoin's ECDSA signatures, and closing that gap requires error-correction breakthroughs that haven't happened yet. Holders using modern wallets with fresh-address generation are already protected against the largest current exposure (re-used addresses with revealed public keys). The Bitcoin protocol has time to upgrade to post-quantum signatures before any practical attack becomes feasible. For long-term holders, quantum is a tail risk worth tracking, not a near-term reason to act.
Self-custody, with fresh addresses by default. Ryder One generates a new receive address for every transaction, signs offline on an EAL6+ secure element, and updates to support future protocol changes. See how it works.
SEO
The only crypto wallet you can install on a crowded subway.
Set it up in less than 60 seconds and just tap your phone to send, swap, and recover.
Share: