Six Bitcoin developers have authored and drafted BIP-361, a two-phase soft fork that aims to ban first the sending of funds to quantum-vulnerable addresses and, then, after five years, invalidate all Elliptic Curve Digital Signature Algorithm (ECDSA)/Schnorr spends entirely. This proposal targets about 34% (over 6 million BTC) of all Bitcoin ever revealed with a public key onchain (including the estimated 1.1 million coins held by Satoshi).
Many feel that this plan constitutes a backdoor wealth transfer in which a quantum-capable attacker will be able to steal unclaimed coins before the sunset, while supporters assert that it is the only credible defense against an existential threat.
Is BIP-361 Really Needed?
Let’s dig in. The progress of quantum computing is accelerating. In 2024, the National Institute of Standards and Technology (NIST) ratified three post-quantum signature schemes ready for production, and now current, credible academic roadmaps estimate that cryptographically relevant quantum computers may arise between 2027 and 2030. Currently, as of April 2026, 34% of the Bitcoin that exists has public keys exposed onchain, primarily as a result of address reuse and early outputs from Pay-to-Public-Key (P2PK), and a sufficiently powerful quantum computer could derive the private key of any of them and steal it.
The authors of the proposal claim that “lost coins only make everyone else’s coins worth slightly more” (to paraphrase Satoshi), but quantum‑recovered coins would do the opposite: “a theft from everyone.”
How BIP-361 Works (and Why It’s Controversial)
BIP-361 proposal has two phases and operates as a soft fork:
- Phase A (3 years after activation): Nodes reject any transaction that sends funds to a legacy (ECDSA/Schnorr) address. New Unspent Transaction Outputs (UTXOs) must use post‑quantum output types.
- Phase B (2 years after Phase A): Nodes reject any transaction that spends from a legacy UTXO. Funds not migrated become permanently unspendable, effectively burning them.
As argued by the authors, the above creates a private incentive to upgrade: If you don’t act, then you will lose access to your funds. Critics refer to this as “monetary suicide,” a craziness. By forcing the abandonment of unclaimed coins (including the stash of Satoshi), BIP-361 would deliberately reduce Bitcoin’s supply, which many believe violates the fundamental concept of fungibility and neutrality of the Bitcoin network. Some warn that a soft-forked “anyone can spend” transition period will invite quantum-equipped attackers to lot coins that have not been migrated in the blink of an eye, and result in a winner-takes-all race.
Bitcoin’s BIP-361 Pros and Cons at a Glance
| BIP-361 Pros | BIP-361 Cons |
| Creates a clear, time‑boxed migration path | Forces abandonment of unclaimed coins (supply shock) |
| Protects active users from future quantum theft | Could reward first quantum attackers with billions in loot |
| Aligns ecosystem incentives (exchanges, custodians) | Violates Bitcoin’s principle of non‑confiscation |
| Avoids last‑minute emergency hard fork | Unknown technical feasibility of Phase C recovery |
What About Satoshi’s Coins and the 34% That Can’t Be Saved?
BIP-361 authors acknowledge that there are currently no recovery methods/paths for either P2PK outputs (the type that Satoshi used) or any UTXOs created before the introduction of BIP-32. According to them, Phase C recovery, which uses zero-knowledge proofs (ZKP) to establish possession of a seed phrase, can only be accomplished with the help of Hierarchical Deterministic (HD) wallets. Consequently, Satoshi’s estimated 1.1 million BTC would be permanently frozen (and thus unspendable) in Phase B, and also all of the other early coins and any UTXOs from address reuse.
A separate “Hourglass” proposal could theoretically recover P2PK funds, but it implementation would likely require a hard fork, but it is not currently part of this BIP.
Note: The Hourglass V2, submitted in April 2025, is a proactive Bitcoin soft fork proposal that seeks to mitigate the mass liquidation threat of quantum computing to older, vulnerable Bitcoin addresses by limiting the spending rate of legacy P2PK coins, around 1.7 million BTC, to 1 BTC per block.
Is BIP-361 Really a Soft Fork?
The answer is yes and no. Because Phase A and Phase B are designed to be soft forks, upgraded nodes are enforcing new rules, while non-upgraded nodes are treating any post-quantum witness programs as “anyone can spend.” However, the economic coercion would be particularly severe after Phase B, when all legacy UTXOs will become unspendable by both classes of nodes (upgraded or not). Given that the unspent nature of UTXOs is ultimately about creating consensus, there are many who believe that these changes are so aggressive that crosses the line into a de facto hard fork.
Cardano’s founder, Charles Hoskinson, has some raw critics worth listening to; whether you believe it or not, this proposal is valid. Discussion is open.
What Comes Next
The Bitcoin Improvement Proposal 361 is there. There will likely be intense community discussions on this topic as major stakeholders such as exchanges, custodians, and miners will need to express their support or bury it. Should BIP-361 be implemented, its 5-year adoption timeframe would be an extreme challenge for global wallet coordination.
Even if the quantum computing threat, for crypto and other sectors, is advancing, there’s too much noise around it as well. Many tech companies, like Google or Grayscale (among others), publish their own report, set deadlines, and come up with roadmaps; there’s another portion of these firms and blockchain-related ones that are proactively working to mitigate the quantum risk and build their own infrastructure. Innovation comes as fast as threats.
In 2025, Project Eleven launched a 1 BTC Reward to anyone who cracks Bitcoin’s quantum defense using Shor’s Algorithm. The contest was supposed to run until April 2026, but the team has not communicated the offering’s status. Does this say something to you?
