On April 24, 2026, independent Italian researcher Giancarlo Lelli won 1 Bitcoin — roughly $78,000 — by demonstrating that the cryptography securing crypto wallets can be attacked using publicly available quantum hardware. No government lab, no classified chip, no restricted hardware was required — just a cloud-based quantum computer anyone can access today.
What Is the Q-Day Prize and Who Won It?
TL;DR: Researcher Giancarlo Lelli cracked a 15-bit elliptic curve cryptography key using cloud quantum hardware, winning 1 BTC from Project Eleven. An estimated 6.9 million BTC on-chain are already exposed to future quantum attacks.
Project Eleven, a post-quantum security startup, launched the Q-Day Prize with a clear challenge: break an elliptic curve cryptography (ECC) key using real quantum hardware, before April 5, 2026. Lelli submitted his result weeks after the original deadline, but the judges were convinced. Lelli used a variant of Shor's algorithm on cloud-accessible quantum hardware to derive the private key from a 15-bit ECC public key.
The previous record was 6 bits, set by Steve Tippeconnic in September 2025 on an IBM 133-qubit computer. Lelli's result is 512 times larger — a jump that the quantum computing research community has described as significant.
"The resource requirements for this type of attack continue to fall, and with them the practical barrier to executing it. The winning submission came from an independent researcher on cloud hardware. No lab, no private chip."
🚨 Google has sounded the quantum alarm 🚨
— Project Eleven (@projecteleven) March 31, 2026
Today, they released groundbreaking progress towards breaking crypto using a quantum computer.
TLDR - Existing cryptography is dead. Mempool attacks are real. We must migrate to post-quantum now.
Thread 🧵 pic.twitter.com/PQoS72kJfp
How Far Are We from Real Danger?
Bitcoin uses 256-bit keys. Lelli cracked a 15-bit key. The gap remains enormous — no wallet is at risk today. But what concerns researchers is the speed at which that gap is closing. In just seven months, three developments stand out:
- The practical demonstration jumped from 6 to 15 bits (×512) between September 2025 and April 2026
- A Google paper published in April 2026 estimated fewer than 500,000 physical qubits would be needed to break a 256-bit key
- Caltech and Oratomic brought that estimate down to approximately 10,000 qubits using neutral-atom architectures
As Project Eleven stated in its official release: "The distance from 15 to 256 bits is large, but it is increasingly viewed as an engineering problem, not a fundamental physics problem." That framing — engineering, not physics — is the key shift in expert consensus.
6.9 Million BTC Already Exposed On-Chain
The figure that changes the entire risk calculus is not a lab result — it is the volume of real Bitcoin already vulnerable. Approximately 6.9 million BTC — one third of all Bitcoin ever mined — sits in wallets whose public keys are already visible on the blockchain:
- P2PK addresses (the original format, used by Satoshi in the earliest blocks)
- Wallets with reused addresses, where at least one transaction has already exposed the public key
- Spent Taproot addresses after 2021, which publish the key as a side effect of the spending transaction
Approximately 1 million BTC is estimated to belong to Satoshi Nakamoto, held in wallets unmoved since 2009 — all in P2PK format, all with publicly visible keys. For US and UK holders using legacy wallet formats or exchange wallets that reuse addresses, understanding exposure is now a practical concern, not a theoretical one.
For a deeper look at which wallet categories carry the highest exposure, read our analysis of Q-Day and the quantum computing threat to Bitcoin. For the governance debate on how to respond, our coverage of BIP-361 and the proposal to freeze Satoshi's Bitcoin provides essential context.
Industry Responses: Who Is Acting and Who Is Waiting
Ethereum, TRON, StarkWare, and Ripple have all published post-quantum roadmaps. Bitcoin — by design decentralized and slow to govern — is still debating between BIP-360 (new optional quantum-safe address types) and BIP-361 (forced migration with freezing of unmigrated funds). The Bitcoin developer community remains divided, and no timeline for a protocol upgrade has been confirmed.
Project Eleven has already announced its next challenge: the intersection of advanced AI models and quantum cryptanalysis. The signal is clear — Q-Day is not tomorrow, but it is no longer science fiction. Anyone holding Bitcoin in old or reused addresses should now actively research migration options rather than waiting for a protocol-level solution.
For a broader comparison of which cryptocurrencies are most vulnerable to quantum computers, our network-by-network breakdown shows where the risk is highest — and where post-quantum defenses are already most advanced.
What is the Q-Day Prize?
The Q-Day Prize is a competition launched by Project Eleven challenging researchers to break an elliptic curve cryptography (ECC) key using real quantum hardware. In April 2026, researcher Giancarlo Lelli won 1 BTC by cracking a 15-bit ECC key on cloud quantum hardware.
Is Bitcoin at risk from quantum computers right now?
Bitcoin is not at immediate risk. Current quantum hardware cracked a 15-bit key, while Bitcoin uses 256-bit keys. However, 6.9 million BTC are already in wallets with exposed public keys that would be vulnerable once sufficient qubit counts are achieved.
What is BIP-360 and BIP-361?
BIP-360 proposes new optional quantum-safe address types for Bitcoin. BIP-361 goes further, proposing forced migration with the freezing of funds in unmigrated addresses. The Bitcoin community is currently debating both proposals without a confirmed upgrade timeline.
How many Bitcoin could be stolen by a quantum computer?
An estimated 6.9 million BTC — roughly one third of all Bitcoin ever mined — sits in addresses with publicly visible public keys, making them theoretically vulnerable to a sufficiently powerful quantum computer running Shor's algorithm.
