Independent researcher Giancarlo Lelli this week won 1 BTC, valued at approximately $78,000 to $84,000 at current prices, after successfully deriving a 15-bit elliptic curve private key from its public key on a publicly accessible quantum computer.

The feat, verified and awarded by quantum cryptography research organisation Project Eleven on 24 April 2026, represents what the organisation calls the largest quantum attack on elliptic curve cryptography (ECC) ever executed on real hardware.

What Was Actually Broken, and What Wasn't

Lelli used a variant of Shor's algorithm to solve the Elliptic Curve Discrete Logarithm Problem (ECDLP) across a search space of 32,767 possible keys.

The ECDLP is the mathematical foundation of Bitcoin's signature scheme, ECDSA: it is the reason that knowing someone's public key does not, under normal conditions, allow you to calculate their private key. Shor's algorithm, running on a powerful enough quantum computer, can break that assumption.

Bitcoin's live keys are 256 bits wide. The gap between 15 bits and 256 bits is not linear; it is exponential, meaning the computational resources required to crack a real Bitcoin key remain far beyond anything existing today. Project Eleven was direct about this in its announcement, but also clear about the trajectory: the distance from 15 bits to 256 bits is "large, but the gap is increasingly viewed as an engineering problem and not a fundamental physics problem."

The Q-Day Prize competition, which Project Eleven launched in April 2025 and offered 1 BTC to the winner, was designed precisely to convert that theoretical threat into a measurable number. Entrants competed to break the largest possible ECC key using actual quantum hardware before a deadline of 5 April 2026. Lelli's 15-bit result took the prize.

The Timeline Is Compressing

Lelli's result lands inside a broader shift in expert expectations about when quantum computers could genuinely threaten Bitcoin. In March 2026, a joint research paper from Google Quantum AI, the Ethereum Foundation, and Stanford University revised downward the hardware requirements for a working attack. The paper concluded that a quantum computer with fewer than 500,000 physical qubits could execute Shor's algorithm against a live Bitcoin key in roughly nine minutes, just under Bitcoin's average block confirmation time of ten minutes.

That matters because any transaction broadcast to the Bitcoin network and sitting in the mempool (the queue of unconfirmed transactions) briefly exposes its public key before it is confirmed. A sufficiently capable quantum machine could, in theory, derive the private key from that broadcast and redirect the funds before the original transaction settles. The researchers modelled the success rate of such an attack at approximately 41 percent.

Previous estimates placed the relevant threat window in the mid-2030s and required around one million physical qubits. Post-paper projections now cluster around 2029 to 2032. Analysts including Dragonfly Capital managing partner Haseeb Qureshi have publicly updated their assessments: "We are no longer looking at mid-2030s. We could have quantum computers of this scale by the end of the decade."

Approximately 6.9 million BTC, roughly one-third of the total supply, currently sits in wallets where public keys are already visible on-chain. This includes around 1.7 million BTC in old Pay-to-Public-Key (P2PK) addresses, a category that encompasses the estimated 1.1 million BTC attributed to Satoshi Nakamoto and untouched since 2010.

A Nigerian Developer Is Building the Defences

The response to this threat is not confined to Silicon Valley. On 8 April 2026, Olaoluwa Osuntokun, a Nigerian-born computer scientist and co-founder and CTO of Lightning Labs, announced he had built Bitcoin's first functional quantum-defence prototype, a tool called Post-Quantum BIP-86 Recovery via zk-STARK Proof of BIP-32 Seed Knowledge.

His tool allows wallet holders to prove ownership of Taproot outputs without ever exposing their private key or seed phrase, using a cryptographic technique called zk-STARK proofs.

Unlike ECDSA, zk-STARKs rely on hash functions and Merkle trees rather than elliptic curves, making them resistant to Shor's algorithm by design.

The prototype runs on consumer hardware. Osuntokun tested it on an Apple Silicon M4 Max laptop, where it generates a proof in roughly 55 seconds (under 3 seconds in a lighter variant) and verifies it in under 2 seconds. Proofs come in at 1.7 MB, compressible to 223 KB.

Osuntokun co-authored BIPs 157 and 158 and is among the most technically influential figures in Bitcoin development globally.

The work is especially relevant for users across South Asia, where self-custody rates are high, institutional wallet migration support is limited, and high proportions of individual users maintain older wallet formats. Africa faces similar constraints, with limited access to institutional custodians and migration support raising particular concerns for self-custody holders in both regions. Exchanges operating across these markets, including VALR, Luno, WazirX, and CoinDCX, are among the entities that should be monitoring post-quantum BIP developments closely.

India is among the world's largest retail crypto markets by user count, and users holding funds in addresses that have previously broadcast transactions are in the exposed category. The practical advice is straightforward: avoid address reuse, and avoid old P2PK-style addresses. Addresses that have never been spent from do not expose their public keys and carry less immediate risk.

What Comes Next

No post-quantum upgrade is active on the Bitcoin network today. BIP 360 (P2QRH), the leading proposal, would remove permanently visible public keys from new Bitcoin addresses. The proposal includes a phased migration with hard deadlines of approximately three years post-adoption, a timeline that makes community education and outreach, particularly in non-English-dominant markets, an urgent parallel priority.

A full network upgrade to quantum-resistant signatures would also increase transaction sizes significantly: the NIST-standardised SPHINCS+ scheme produces signatures of 8 kilobytes or more, compared to 64 bytes today, which could expand average block sizes by up to 38 times under some models. NIST finalised its post-quantum cryptography standards, including FIPS 205, in August 2024, meaning SPHINCS+ is a settled standard rather than an open proposal.

The Coinbase Quantum Advisory Board, which includes Stanford cryptographer Dan Boneh, Ethereum Foundation researcher Justin Drake, and Eigen Labs' Sreeram Kannan, summarised the stakes plainly: "We have high confidence that a large-scale, fault-tolerant quantum computer will eventually be built. Waiting for it to be urgent is not a good idea."

Project Eleven's 1 BTC bounty has now been paid. The larger contest, over whether Bitcoin's cryptography can be upgraded before quantum hardware catches up, is still running.