Quantum Researcher Cracks 15-Bit ECC Key, Sharpening Bitcoin’s Q-Day Timeline
An independent researcher has broken a 15-bit elliptic curve cryptography key using publicly accessible quantum hardware, winning a one-bitcoin bounty from quantum security firm Project Eleven and reigniting a debate that the crypto industry has long preferred to treat as a distant theoretical problem. The result, announced on April 24, 2026, is not a direct threat to Bitcoin today, but it is a data point that belongs in a prosecution file being assembled piece by piece. Each exhibit is small; the pattern they form is not.
What Lelli Actually Did, and Why the Scale Matters
Giancarlo Lelli, an independent Italian researcher, derived a private key from its paired public key across a 32,767-value search space, using a variant of Shor’s algorithm on cloud-accessible quantum hardware. Project Eleven described the result as the largest public demonstration of a quantum attack on elliptic curve cryptography to date. The previous public record was a six-bit demonstration completed by Steve Tippeconnic in September 2025. Lelli’s result expanded that benchmark by a factor of 512.
The caveat that every responsible outlet must state up front: Bitcoin’s keys are 256 bits long. A 15-bit key has 32,768 possible values. A 256-bit key has approximately 1.16 times ten to the power of 77 possible values. Those two numbers exist in different mathematical universes. No one’s bitcoin was stolen, no wallet was drained, and the network’s proof-of-work system was untouched. The hash rate, at time of writing, sits at 1,004.3 exahashes per second, and nothing in this week’s events disturbs that figure.
What Lelli’s result does establish is that the attack class itself, specifically the use of Shor’s algorithm against the Elliptic Curve Discrete Logarithm Problem that underpins Bitcoin and Ethereum’s digital signature systems, has moved from theoretical discussion to repeatable public demonstration. Project Eleven CEO Alex Pruden drew the line that matters: “The winning submission came from an independent researcher working on cloud-accessible hardware. No national lab, no private chip.” The barrier to entry for this class of experiment has dropped, and the record keeps being broken.
The Resource Estimates Are Falling Faster Than Expected
The distance between a 15-bit demonstration and a 256-bit attack is still enormous, but the trajectory of the resource estimates required to close that gap has changed materially over the past year. Google’s April 2026 whitepaper placed the qubit requirement for a full 256-bit elliptic curve attack at fewer than 500,000 physical qubits, a figure that itself represented a substantial reduction from older assumptions. A subsequent paper from Caltech and Oratomic lowered the estimate further still, to approximately 10,000 qubits using a neutral-atom architecture.
Project Eleven has framed this shift carefully but directly: the problem now looks more like an engineering challenge than a physics barrier. That is a meaningful reclassification. Physics barriers are theoretically insurmountable until they are not; engineering problems are solved on timelines that depend on funding, competition, and incremental progress, all of which are currently accelerating. Pruden pointed to Google’s own public target of becoming quantum-secure by 2029 as evidence that the migration window is already being measured in years, not decades.
Project Eleven is also preparing its next challenge, which will examine how frontier AI tools might accelerate future cryptographic attacks. That combination, quantum hardware improvements married to AI-assisted cryptanalysis, represents a compounding risk that the industry has not yet seriously priced into its security planning.
Mapping the 6.9 Million BTC Exposure
The figure that dominates these discussions is 6.9 million BTC sitting in wallets where the public key is already visible on-chain. A Coinbase Quantum Advisory Council paper placed that figure in context: with Bitcoin trading near $77,500 at the time of its analysis, the exposed holdings represented more than $530 billion in potential future exposure. That number is not a prediction of theft; it is a map of concentration risk under a future threat model that is becoming incrementally more plausible.
On-chain analyst James Check has argued, persuasively, that the 6.9 million figure is doing a great deal of rhetorical work that the underlying data does not support. He breaks the exposure into three distinct pools. Approximately 214,000 BTC sits in Taproot addresses whose owners are likely active and capable of migrating to a post-quantum solution. Roughly 4.996 million BTC sits in reused addresses, much of it belonging to exchanges and custodians. “Exchanges and custodians have a duty to protect clients’ funds,” Check wrote, expressing confidence that institutions are already developing solutions.
That leaves roughly 1.716 million BTC in Satoshi-era Pay-to-Public-Key outputs, the addresses most analysts assume hold permanently lost coins from Bitcoin’s earliest blocks. Check considers this the only credible target for a quantum attacker, and he argues that even a forced liquidation of all of it would be survivable. His “revived supply” data shows Bitcoin markets routinely absorb between 10,000 and 30,000 BTC per day during active periods. Selling the entire P2PK pool would therefore represent roughly 60 to 90 days of that absorption rate. “There’s no doubt that an additional 1.716M BTC market sold will have an appreciable and depressing force on the price,” Check stated, while rejecting the characterisation that it would be fatal to the network.
Check also backed a procedural safeguard drawn from BIP-360 discussions: capping P2PK transactions at one per block. With approximately 38,000 P2PK outputs in existence, that rate would exhaust them over roughly 264 days, a window that neatly overlaps with the time any post-quantum upgrade would require for general migration. At time of writing, the network has 103,453 blocks until the next halving, providing a rough sense of the timeline scales involved. With 506,108 active addresses recorded in the last 24 hours, the network is clearly not dormant while this debate unfolds.
Who Benefits, Who Loses, and What Happens Next
Check’s argument is intellectually honest and his arithmetic is sound, but it contains an assumption that deserves scrutiny: that institutional custodians will act in time. The history of security upgrades in financial infrastructure does not support automatic optimism on that point. Institutions move when regulators require it or when liability becomes unavoidable. Neither condition has fully materialised yet, which means the 4.996 million BTC in reused custodial addresses sits in a category that is exposed by technical reality but unprotected by any concrete legal mandate.
The clearest beneficiaries of the current moment are the quantum security firms and the post-quantum cryptography vendors. Project Eleven has converted a research prize into a global news cycle. Every increment in the public record, from six bits to 15 bits to whatever comes next, extends that cycle and expands the commercial case for their services. Google, similarly, benefits from urgency: its 2029 quantum-security target acquires more credibility each time a public demonstration advances the state of the art, and its cloud quantum hardware becomes more commercially attractive as researchers demonstrate real results on accessible systems.
The losers in the near term are holders in exposed address categories who are not paying attention, and the Bitcoin development community faces an increasingly uncomfortable timeline. Bitcoin’s BIP-361 freeze proposal has already fractured developer consensus over how to handle quantum-vulnerable legacy addresses, and that division will become harder to sustain as public demonstrations make the threat progressively more concrete. A community that cannot agree on a migration path in the abstract will face far greater pressure once the gap between demonstrated and required qubit counts narrows to a point that market participants find alarming.
For Ethereum and other ECC-dependent networks, the same logic applies. The $2.5 trillion in digital assets secured by elliptic curve systems collectively is not protected by any coordinated post-quantum roadmap. Ripple’s four-phase quantum roadmap targeting XRPL security by 2028 represents one of the more structured responses in the industry, but it remains an outlier rather than a template others have rushed to copy.
The most honest reading of this week’s events is that the prosecution’s case is being built on schedule and the defence has not yet filed its brief. A 15-bit key broken on a cloud computer is not the verdict, but it is another exhibit entered into evidence. Pruden said the challenge now looks like an engineering problem, and engineers, given sufficient motivation and resources, tend to solve engineering problems. The question the crypto industry needs to answer is whether it wants to be ahead of that solution or scrambling to catch up to it. The record, so far, suggests the latter is the more likely outcome, and that should concern anyone holding coins in an exposed address today.
