When Quantum Computers Come for Your Bitcoin: What Classical Property Law Says Happens Next

Avr 17, 2026

par

Bitcoin Magazine

When Quantum Computers Come for Your Bitcoin: What Classical Property Law Says Happens Next

Bitcoin’s quantum debate keeps slipping sideways because people keep arguing about two different things at once.

One question is technical: if quantum computing gets good enough to break Bitcoin’s signature scheme, the protocol can respond. New address types, migration rules, soft forks, deprecations, key rotation. That is a real engineering problem, but it is still an engineering problem.

The other question is legal: suppose someone uses a quantum computer to derive the private key for an old wallet and sweep the coins. What, exactly, just happened? Did he recover abandoned property, or did he steal someone else’s bitcoin?

In April 2026, BIP-361 proposed freezing more than 6.5 million BTC sitting in quantum-vulnerable UTXOs, including an estimated million-plus coins associated with Satoshi. No longer just an abstract discussion, it’s now a live fight over ownership, confiscation, and the meaning of property inside a system that ultimately recognizes only control.

I am not taking a position here on when a quantum computer capable of attacking Bitcoin will arrive. The narrower question is the one that matters first: if it does arrive, and someone starts moving long-dormant coins with quantum-derived keys, does the law treat that as legitimate recovery or theft?

Classical property law gives a fairly blunt answer. It is theft.

That answer will frustrate some Bitcoiners, because Bitcoin itself does not enforce title in the way courts do. It enforces control. If you can produce the valid spend, the network accepts the spend. But that only sharpens the point. The harder the network leans on control, the more important it becomes to state clearly what the law would say about the underlying act.

And on that front, the law is not especially mysterious.

Old coins are not ownerless just because they are old.

The actual quantum risk

It helps to begin with the narrower, more realistic version of the threat. Not all bitcoin is equally exposed. In the ordinary case, an address does not reveal the public key until the owner spends. That matters because a quantum attacker cannot simply look at any untouched address on the chain and pluck out the private key.

The real risk sits in a more limited category of outputs. Early pay-to-public-key outputs reveal the full public key on-chain. Some older script constructions do the same. Taproot outputs do as well: a P2TR output commits directly to a 32-byte output key, not a hash of one. Address reuse can also expose the public key once a user spends and leaves funds behind under the same key material. Those are the coins people really mean when they talk about exposed bitcoin.

The timeline for this scenario has compressed. On March 31, 2026, Google Quantum AI published research showing Bitcoin’s secp256k1 curve could be broken with fewer than 500,000 physical qubits, a twenty-fold reduction from prior estimates of roughly nine million. The same paper models the mempool attack vector directly: during a transaction, the public key is exposed for approximately ten minutes before block confirmation, giving a quantum adversary a window to derive the key before the spend confirms.

Current hardware remains far from these thresholds: Google’s Willow chip sits at 105 qubits and IBM’s Nighthawk at 120. But algorithmic optimization is outrunning hardware scaling. NIST’s own post-quantum migration roadmap calls for quantum-vulnerable algorithms to be deprecated across federal systems by 2030 and disallowed entirely by 2035. That federal timeline does not bind Bitcoin, but it supplies the benchmark against which institutional holders and regulators will measure Bitcoin’s preparedness.

A great many of those coins are old. Some are certainly lost. Some belong to dead owners. Some are tied up in paper wallets, forgotten backups, ancient storage habits, or estates that no one has sorted out. Some probably belong to people who are very much alive and simply have no interest in touching them.

That last point matters more than the “lost coin” crowd usually admits. From the outside, dormancy tells you very little. A wallet can sit untouched for twelve years because the owner is dead, because the owner lost the keys, because the owner is disciplined, because the owner is paranoid, because the coins are locked in a multi-party setup, or because the owner is Satoshi and would rather remain a rumor than a litigant. The blockchain does not tell you which explanation is true.

That uncertainty is precisely why property law has never treated silence as a magic solvent for ownership.

Dormancy is not abandonment

The casual “finders keepers” intuition that floats around these discussions has almost nothing to do with how property law actually works.

Ownership does not evaporate because property sits unused. Title continues until it is transferred, relinquished, extinguished by law, or displaced by some doctrine that actually applies. Time alone does not do that work. Inaction alone does not do that work. Value certainly does not do that work.

So if someone wants to argue that dormant bitcoin is fair game, the path usually runs through abandonment. The claim is simple enough: these coins have been sitting there forever, nobody has touched them, they are probably lost, therefore they must be abandoned.

The law is much stricter than that. Abandonment generally requires both intent to relinquish ownership and some act manifesting that intent. The owner must, in substance, mean to give it up and do something that shows he meant to give it up. Simply failing to move an asset for a long period is not enough, particularly where the asset is obviously valuable.

That is not some fussy technicality… it’s one of the core tenets of property law. If nonuse alone were enough to destroy title, the law would become a standing invitation to loot anything whose owner had been quiet for too long. That is not our rule for land, for houses, for stock certificates, for buried cash, or for heirlooms. It is not the rule for bitcoin either.

Take the easy edge case. If someone deliberately sends coins to a burn address with no usable private key, that begins to look like abandonment because there is both a clear act and a clear signal. But that example proves the opposite of what quantum raiders want it to prove. It shows what relinquishment looks like when a person actually intends it. Most dormant wallets do not look anything like that.

The better reading is the ordinary one: old coins are old coins. Some are lost. Some are inaccessible. Some are forgotten. Some are sleeping. None of that converts them into ownerless property.

And recent legislation has begun to formalize the same instinct. The UK’s Property (Digital Assets etc) Act 2025, which received Royal Assent on December 2, 2025, creates a third category of personal property explicitly covering crypto-tokens. In the United States, UCC Article 12 has now been adopted by more than thirty states and the District of Columbia, recognizing “controllable electronic records” as a distinct legal category. Neither regime treats dormancy as relinquishment. By formally classifying digital assets as property, both raise the bar for anyone arguing that old coins are ownerless by default.

Death does not erase ownership

The next move is usually to shift from abandonment to mortality. Fine, perhaps the coins were not abandoned, but surely many of these early holders are dead. Doesn’t that change the analysis?

Not in the way the raider would like.

Some early wallets invite a kind of Schrödinger’s-heir problem: the owner is confidently declared dead when the raider wants ownerless property, then treated as notionally available whenever the burdens of succession come into view. Property law does not indulge the superposition.

When a person dies, title does not disappear. It passes. Property goes to heirs, devisees, or, in the absence of both, to the state through escheat. The law does not shrug and announce an open season. It preserves continuity of ownership even when possession becomes messy, inconvenient, or impossible to exercise.

The analogy to physical property is almost insultingly straightforward. If a man dies owning a ranch, the first trespasser who cuts the lock does not become the new owner by initiative and optimism. The estate handles succession. If there are no heirs, the sovereign has a claim. Valuable property does not become unowned merely because the original owner is gone.

Bitcoin is no different on that point. Lost keys do not transfer title. Inaccessibility is not a conveyance. A stranger who derives the private key later with better tooling has not uncovered ownerless treasure. He has acquired the practical ability to move property that still belongs to someone else, or to someone else’s estate.

That conclusion matters most for the largest block of old, vulnerable coins: Satoshi’s. Whether Satoshi is alive, dead, or permanently off-grid does not change the legal classification. Those coins belong either to Satoshi or to Satoshi’s estate. They do not become a bounty for the first actor who arrives with a quantum crowbar.

Unclaimed property law does not rescue the theory

Some people assume dormant bitcoin can be swept up under unclaimed property law. That confusion is understandable, but it misses how those statutes actually operate.

Unclaimed property law generally runs through a holder. A bank, broker, exchange, or other custodian owes property to the owner. If the owner disappears long enough, the state steps in and requires the holder to report and remit the asset, subject to the owner’s right to reclaim it later. The doctrine is built around intermediaries.

That framework works well enough for exchange balances. It works for custodial wallets. It works for assets sitting with a business that can be ordered to turn them over.

It does not work the same way for self-custodied bitcoin. A self-custodied UTXO has no bank in the middle, no exchange holding the bag, and no transfer agent waiting for instructions. There is no custodian for the state to command. There is only the network, the key, and the person who can or cannot produce the valid spend.

That means governments can often reach custodial crypto, but self-custodied bitcoin presents a harder limit. The law can say who owns it. The law can sometimes say who should surrender it. What it cannot do is conjure the private key.

The same problem defeats a more dressed-up version of the argument under UCC Article 12. A quantum attacker who derives the private key may gain “control” of the asset in a practical sense. But control is not title. It never has been. A burglar who finds your safe combination gains control too. He still stole what was inside.

Adverse possession does not fit, and salvage is worse

Two analogies get dragged out whenever someone wants to dignify quantum theft with a veneer of doctrine: adverse possession and salvage.

Neither one survives contact with the facts.

Adverse possession developed for land, and it carries conditions that make sense in land disputes. Possession must be open and notorious enough to give the true owner a fair chance to notice the adverse claim and contest it. A quantum attacker who sweeps coins into a fresh address does nothing of the sort. Yes, the movement is visible on-chain. No, that is not meaningful notice in the legal sense. A pseudonymous transfer on a public ledger does not tell the owner who is asserting title, on what basis, or in what forum the claim can be challenged.

The policy rationale also collapses. Adverse possession helps resolve stale land disputes, quiet title, and reward visible use of neglected real property. Bitcoin has none of those structural problems. The blockchain already records the chain of possession.

Salvage is worse. Salvage rewards a party who rescues property from peril. The quantum raider does not rescue property from peril. He exploits the peril. In many cases, he is the reason the peril matters at all. Calling that “salvage” is like calling a pirate a lifeguard because he arrived with a boat: a euphemism masquerading as a legal theory.

What BIP-361 is really fighting about

This is why BIP-361 matters. It is the first serious proposal to force the issue at the consensus layer rather than wait for courts and commentators to argue over the wreckage afterward.

In broad strokes, the proposal would roll out in phases. First, users would be barred from sending new bitcoin into quantum-vulnerable address types, while still being allowed to move existing funds out to safer destinations. Later, legacy signatures in vulnerable UTXOs would stop being valid for purposes of spending those coins. In practical terms, any remaining unmigrated funds would freeze. A further recovery mechanism has been proposed using zero-knowledge proofs tied to BIP-39 seed possession, though that portion remains aspirational and incomplete.

Critically, the recovery path works only for wallets generated from BIP-39 mnemonics. Earlier wallet formats, including the pay-to-public-key outputs associated with Satoshi, have no realistic route back under the current proposal. That limitation is not incidental. It means Phase C, as currently designed, would preserve the property rights of more recent adopters while permanently extinguishing those of the earliest ones. That is a de facto statute of limitations imposed not by a legislature but by a protocol change.

The attraction of the proposal is obvious. If the network knows a category of coins is likely to become loot for whoever reaches them first, it can refuse to bless the looting. That is, in substance, a defense of ownership against a purely technological shortcut. It treats the quantum actor as a thief and denies him the prize.

But that is only half the story. The other half does not vanish merely because protocol designers would rather not observe it.

The proposal also creates a second legal problem, and it is harder to wave away. Phase B does not only stop thieves. It also disables actual owners who fail, or are unable, to migrate in time. That matters because property law does not ask only whether a rule has a good motive. It also asks what the rule does to the owner.

Calling that “theft” is too imprecise. BIP-361 does not reassign the coins to developers, miners, or some new claimant. It does not enrich the freezer in the ordinary way a thief enriches himself. But “not theft” does not end the inquiry. The closer analogy is conversion, or at least something uncomfortably adjacent to it. If the rule is that an owner had a valid spend yesterday and will have none tomorrow, not because he transferred title, not because he abandoned the coins, and not because a court extinguished his claim, but because the network decided those coins were too dangerous to remain spendable, the network has done something more than merely “protect property rights.” It has intentionally disabled the practical exercise of some of those rights.

That is what makes the freeze legally awkward. Freeze supporters can defend it as the lesser evil, and they may be right. But lesser evil is not the same thing as legal cleanliness. A rule that permanently prevents an owner from accessing his own coins begins to look less like ordinary theft and more like forced dispossession by consensus.

The strongest objections appear in the hardest cases. Timelocked UTXOs are the cleanest example. If a user deliberately created a timelock that matures after the freeze date, that owner did not neglect the coins. He did not abandon them. He affirmatively structured them to be unspendable until a future date. Yet the protocol could still freeze them permanently before that date ever arrives. Other older wallet constructions create a similar problem. If the eventual recovery path depends on BIP-39 seed possession, some earlier wallet formats may have no realistic route back at all. Estates create the same tension in another form. The owner may be dead, but title has not vanished. It passed somewhere. Freezing the coins does not eliminate the underlying property claim. It only eliminates the network’s willingness to honor it.

That is why the better description of Phase B is not “anti-theft rule” in the abstract. It is a confiscatory defense mechanism. Maybe a justified one. Maybe even a necessary one. But still confiscatory in effect for at least some owners. The proposal does not just choose owner over thief. In some cases it chooses one class of owners over another, then treats the losses of the disfavored class as the price of securing the system.

That does not make BIP-361 unlawful in any straightforward, courtroom-ready sense. Bitcoin consensus changes are not state action, so the takings analogy is imperfect unless government enters the picture directly. But as a matter of private-law reasoning, the conversion analogy lands harder. Title may remain rhetorically intact while practical control is intentionally destroyed.

That is the real symmetry at the center of the quantum debate. Letting a quantum attacker sweep dormant coins looks like theft. Freezing vulnerable coins by soft fork may be the lesser evil, but it is not costless, either materially or morally. For some owners, it begins to look a great deal like confiscation.

The legal answer is clear, even if Bitcoin’s is not

Classical property law is not going to bless quantum key derivation as some clever form of lawful recovery.

Dormancy is not abandonment. Death transfers title; it does not dissolve it. Unclaimed property law reaches custodians, not self-custody itself. Adverse possession does not map onto pseudonymous UTXOs. Salvage is a bad joke.

So if someone uses a quantum computer to derive the private key for a dormant wallet and move the coins, the legal system will almost certainly call that theft.

But BIP-361 shows that Bitcoin may not face a choice between theft and pristine protection of ownership. It may face a choice between theft by attacker and dispossession by protocol. Freezing vulnerable coins may be a defensible response to an extraordinary threat. It may even be the only response the network finds tolerable. Still, it should be described honestly. For some owners, especially those with timelocked outputs, old wallet formats, or no realistic migration path, the freeze begins to look less like protection than confiscation.

That is what makes the issue more than a simple morality play. Bitcoin collapses the distinction property law usually relies on between title and possession. Courts can say a quantum raider stole the coins. Courts can say a protocol-level freeze substantially interfered with an owner’s rights. But the chain will still recognize only the rules its economic majority adopts.

So the fight is not simply over whether Bitcoin should defend property rights during the quantum transition. The fight is over which property rights Bitcoin is willing to impair in order to defend the rest.

Welcome to classical politics.

This is a guest post by Colin Crossman. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.

This post When Quantum Computers Come for Your Bitcoin: What Classical Property Law Says Happens Next first appeared on Bitcoin Magazine and is written by Colin Crossman.