Quantum timelines are tightening. Citi says Bitcoin's slow governance makes post-quantum migration harder to coordinate than Ethereum's approach.

Don't scroll Twitter for crypto news
One email. Five minutes. Everything that matters today
Wall Street bank Citi warned on Friday that quantum computing breakthroughs are accelerating faster than previously expected, putting Bitcoin at greater risk than Ethereum and other proof-of-stake chains – its slow, consensus-driven governance makes implementing quantum-resistant cryptography harder to coordinate before the window narrows.
Quantum timelines are compressing. Stay on top of every major development in Bitcoin's post-quantum race – subscribe to Web Snack for the daily crypto brief that covers it all.
How Bitcoin's Governance Structure Creates a Quantum Blind Spot
Citi's concern is not that quantum computers can break Bitcoin today – it is that Bitcoin cannot upgrade fast enough once they can. Any change to Bitcoin's core cryptography requires broad consensus from miners, node operators, and the developer community. Past upgrades like SegWit and Taproot each took years from proposal to activation.
Ethereum and other proof-of-stake networks face the same underlying cryptographic risks but move faster. Ethereum has a formal hard-fork mechanism and a dedicated post-quantum research team active since 2018. Solana's foundation has already run testnet experiments with NIST-standardized ML-DSA signatures, though early results showed throughput dropping by roughly 90%.
Citi also flagged "harvest now, decrypt later" attacks as an immediate concern. Adversaries can collect encrypted blockchain data today and decrypt it once a sufficiently powerful quantum computer exists – no Q-Day required to start accumulating targets.
25% of Bitcoin Supply Is Already Quantum-Exposed, Citi Estimates
According to Citi's January 2026 report, roughly 25% of all Bitcoin in circulation – between 4.5 and 6.7 million coins – sits in addresses where the public key has already been exposed on-chain. The bank valued that pool at $500-600 billion at the time of writing. By contrast, over 65% of Ethereum's current supply carries the same exposure, and effectively all of Solana's supply is at risk – though both networks have faster governance paths for migration.
Two address types drive most of Bitcoin's problem. Early Pay-to-Public-Key (P2PK) outputs, common in Bitcoin's first years, store the public key directly on-chain. Any address that has already spent funds also exposes its public key permanently – including addresses widely believed to belong to Satoshi Nakamoto.
On Q-Day probability, Citi cited Global Risk Institute data placing the odds of widespread public-key encryption being broken at 19-34% by 2034, rising to 60-82% by 2044. A March 30, 2026 paper from Google Quantum AI estimated that breaking the secp256k1 elliptic curve used by Bitcoin may require as few as 1,200 logical qubits – far closer to current hardware than most prior estimates suggested.
What Faster Timelines Mean for Bitcoin Holders Right Now
No quantum computer capable of cracking Bitcoin's 256-bit encryption exists today. But the pace of improvement is the concern. On April 24, 2026, an independent researcher cracked a 15-bit elliptic curve key using rented cloud hardware – a 512x improvement over the September 2025 record – winning a 1 BTC bounty from security firm Project Eleven. The breakthrough came not from a national laboratory but from publicly available hardware.
Citi noted that a single-day quantum attack on one top-five US bank's Fedwire access could cause between $2.0 trillion and $3.3 trillion in indirect economic damage – equivalent to 10-17% of US GDP. While that scenario targets traditional finance, it frames the scale of systemic disruption that accelerating quantum capability represents across all cryptographic infrastructure.
For BTC holders, the risk is not an imminent wallet theft. It is that Bitcoin's upgrade process may not be fast enough to close the vulnerability window once hardware catches up.
BIP-360, NIST Deadlines, and the Post-Quantum Migration Window
Bitcoin developers have proposed BIP-360 and BIP-361 as post-quantum signature upgrade paths, but neither has advanced to active development. Any implementation would require a consensus-driven soft fork – a multi-year process by Bitcoin's standards even for uncontroversial changes.
On the regulatory front, NIST published three post-quantum cryptography standards in 2024 – FIPS 203, 204, and 205 – and US federal agencies must migrate high-risk systems by 2030, with full quantum-resistant security required by 2035. The EU has set coordinated national PQC transition strategies by end of 2026.
Despite raising concerns, Citi said it remains constructive on crypto's long-term ability to adapt through post-quantum cryptography and protocol redesigns. The bank framed quantum risk as a classic low-probability, high-severity event – one where even a modest chance of Q-Day arriving within a decade justifies urgent preparation now rather than waiting for a crisis.
BIP-360 still hasn't moved. If you want to know the moment it does – and everything else moving in crypto – subscribe to Web Snack.
P.S. This article is for informational purposes only and does not constitute investment advice. Always conduct your own research and make independent decisions.
Like this story? There's more tomorrow
Join Web Snack – no fluff, just value
