Over the last 18 months, quantum computing has seen significant advancements; however, it is still transitioning from noisy hardware to early fault tolerance. This transition involves moving from focusing on raw physical-qubit counts to logical qubits, gate fidelity, runtime, and error correction—crucial for Bitcoin risk assessments, which are driven by logical qubits and fault-tolerant operations rather than total hardware numbers.
Recent findings by Google have reduced quantum cracking estimates for Bitcoin and Ethereum by 20 times, projecting a $600 billion countdown. Using zero-knowledge proofs, the company verified these estimates without revealing the attack circuits. As of late 2024, Google’s Willow chip showcased below-threshold error correction, with scaling error rates as systems expanded. IBM claims its systems can handle circuits with over 5,000 two-qubit gates and aims for a 200-logical-qubit fault-tolerant system by 2029.
Quantinuum reported 48 error-corrected logical qubits from 98 physical qubits and achieved better-than-break-even performance. Microsoft and Atom Computing demonstrated 24 entangled logical qubits on neutral-atom hardware. Despite these advancements, a large-scale fault-tolerant machine is still out of reach, prompting DARPA’s Quantum Benchmarking Initiative targeting cost-effective computational value by 2033.
Current quantum systems can run benchmark problems beyond classical methods, perform specialized simulations, and test error correction techniques. However, they lack the necessary logical-qubit count, gate budget, or runtime to threaten Bitcoin’s secp256k1 encryption. Google’s latest estimates suggest that a Bitcoin-relevant attack would require 1,200 to 1,450 logical qubits and tens of millions of Toffoli gates.
Google researchers posit that fewer than 500,000 physical qubits with specific error rates could execute Shor’s algorithm against secp256k1 in minutes. The challenge lies not only in scaling up but also in stabilizing large numbers of logical qubits and sustaining fault-tolerant operations efficiently.
The March 2026 Google paper emphasizes superconducting and photonic platforms for potential on-spend attacks due to their speed within mempool windows. For Bitcoin, initial risks include private key recovery from exposed public keys or spending while they are visible. Google recommends a post-quantum migration path by 2029.
Despite Google’s aggressive 2029 timeline as a migration target, the evidence for achieving a Bitcoin-breaking machine by then is still limited. IBM’s roadmap to 200 logical qubits and 100 million gates in 2029 falls short of Google’s estimates. DARPA’s benchmark horizon extends to 2033.
No definitive budget exists for constructing a quantum computer capable of cracking Bitcoin, but current funding signals suggest costs could reach the low single-digit billions. PsiQuantum raised $1 billion in 2025 and secured an A$940 million package from Australia. Quantinuum has raised about $300 million by early 2025.
Key milestones include scaling logical qubits to hundreds with stability, supporting millions of fault-tolerant gates, architectural validation for on-spend attacks, independent verification via DARPA programs, and the cryptographic response, which includes NIST’s post-quantum standards finalized in August 2024. These developments are crucial as organizations plan migrations by 2035.
Determining who will first build a quantum computer depends on various benchmarks: IBM and Quantinuum lead with logical qubit roadmaps; Microsoft and PsiQuantum have advanced validation phases. Fast-clock platforms like superconducting or photonic systems hold the most promise for Bitcoin-relevant capabilities. Ultimately, any malicious use of such technology would require extensive resources and expertise.
The cost remains high, likely in the billions, maintaining Bitcoin’s cryptographic resilience against quantum threats until at least 2035.