Coinbase’s advisory board warned in April and June 2026 that Bitcoin’s current cryptography faces a tangible quantum-computing threat and urged the network to begin preparing for post-quantum migration immediately. The firm estimated that roughly 6.9 million BTC, or about 32.7% of supply, sit in outputs that could become vulnerable once cryptographically relevant quantum computers become available.

The warning matters because Bitcoin’s existing signature model can expose public keys in specific circumstances. Once those keys are visible on-chain or in the mempool, a sufficiently advanced quantum attacker could derive private keys and spend vulnerable coins, turning a future cryptographic breakthrough into a direct custody and settlement risk.

Public-Key Exposure Creates the Main Attack Surface

Coinbase’s reports identified Shor’s algorithm as the primary concern. Because it can solve the discrete logarithm problem underpinning ECDSA and other elliptic-curve signatures, it threatens address types where public keys are already known, including legacy P2PK, bare multisig, Taproot outputs and many reused addresses.

The advisory analysis also flagged a concentration of at-risk coins, including a portion of Satoshi-era outputs. That detail raises the stakes for the migration debate because older inactive wallets may be technically exposed while remaining operationally difficult to move.

The board also described a shorter-range risk during normal transaction flow. When a transaction enters the mempool, it can reveal the public key before block inclusion, creating a narrow window in which a fast quantum attacker could extract the private key and redirect funds before settlement finalizes.

A secondary but lower-priority concern involves Grover-style speedups against SHA-256. Coinbase framed that risk mainly around mining economics, where sufficiently large quantum hash acceleration could alter incentives, although the immediate focus remains signature exposure rather than proof-of-work failure.

Migration Would Be a Governance Project, Not a Patch

Coinbase framed post-quantum migration as a multi-year engineering and governance process. Post-quantum signature schemes under consideration are much larger than ECDSA, and the advisory analysis warned that larger signatures could increase block payloads, transaction fees and throughput pressure unless protocol adaptations are adopted.

“The window for preparation is rapidly closing,” Coinbase’s Independent Advisory Board on Quantum Computing and Blockchain said. The statement captured the board’s view that delay itself increases systemic risk, even before quantum attackers become practically capable.

The proposed workstreams include industry-wide adoption of NIST-favored post-quantum algorithms, including lattice-based and hash-based schemes. Coinbase also pointed to protocol proposals involving one-time or hybrid signatures, including Winternitz-style approaches in BIP-360 and OP_CAT support outlined in BIP-347.

Operational preparation is just as important as cryptographic design. The advisory board urged the ecosystem to identify vulnerable outputs, segregate abandoned wallets, coordinate audits and prepare custody upgrades, making wallet inventory and institutional readiness core parts of the transition.

Coinbase has created an Independent Advisory Board to coordinate technical guidance and said it plans to pursue quantum-proof custody offerings for institutional clients by late 2026. That commercial roadmap signals a likely gap between custody-provider upgrades and full Bitcoin protocol migration.

The immediate priorities are clear: map vulnerable outputs, design safe migration flows that do not expose keys unnecessarily, and test hybrid or one-time signature schemes in wallet and signing infrastructure. Because any protocol change requires coordination across miners, developers and users, parallel progress on standards, BIPs and operational tooling will be essential.

The broader challenge is execution. Moving large holders without damaging fee markets, confusing users or fragmenting the network will require staged deployment, audits and clear communication, which is why Coinbase’s advisory group is treating quantum resistance as a present-day engineering priority rather than a distant theoretical issue.