Breaking Bitcoin’s Shield: The Looming Danger of Quantum Computing to Privacy

How HNDL and quantum threats imperil Bitcoin privacy—and what users can do now.

In September 2025, the US Federal Reserve published an analytical paper on the Harvest Now, Decrypt Later (HNDL) strategy. The approach assumes adversaries collect encrypted data today to decrypt it in future with sufficiently powerful quantum computers.

The authors use Bitcoin as an example and examine what HNDL could mean for blockchains built on traditional cryptography.

They conclude that even timely adoption of post-quantum cryptography will not shield historical data because blockchains are immutable. Together with representatives of the bitcoin mixer Mixer.Money, we outline proactive steps users can take to bolster privacy even after “Q Day”.

How HNDL works

The attack is simple: an adversary copies databases and other protected information. There is no immediate payoff, but once a cryptoanalytically-relevant quantum computer (CRQC) emerges, it can unlock private keys or information tied to transaction histories.

For Bitcoin, the quantum threat implies a potential break of digital signatures. A sufficiently powerful quantum computer could derive a private key from a public one, opening the door to wallet compromise and transaction-history exposure.

“At first glance, in such a situation privacy looks like the least of concerns. However, the Fed’s research draws attention to the fact that timely deployment of post-quantum cryptography will not protect historical data. Even if users move funds to quantum-resistant addresses, attackers could potentially reveal previously inaccessible data about transactions and links between addresses,” say representatives of Mixer.Money.

The Fed study stresses that, unlike security, privacy lacks a simple fix. Bitcoin’s historical data are exposed to retrospective compromise.

The vulnerability of Bitcoin addresses

There are different types of Bitcoin addresses. Their susceptibility to quantum attack depends on when and how the public key becomes visible.

• Pay-to-Public-Key (P2PK). The public key itself serves as the recipient’s address. Satoshi Nakamoto’s coins (around 1m BTC) sit on such UTXO. The public keys to these coins are known today. They fall into the long-range attack category: adversaries have unlimited time to derive the private keys;
• Pay-to-Public-Key-Hash (P2PKH). The blockchain records only the hash of the public key. The key itself is not visible until an outgoing spend occurs.

The weakness appears at the first spend. The owner publishes the full public key in the script to prove ownership. From that moment the address is no longer quantum-resilient. If an adversary later gains a quantum computer, they could derive the private key.

SegWit addresses with the bc1q prefix work like P2PKH. Until the first spend, UTXOs are safe; afterwards the public key becomes part of the blockchain record.

Taproot addresses (P2TR) with the bc1p prefix contain a shortened form of the public key (akin to the old P2PK). According to Chaincode Labs, in January 2025 Taproot accounted for 32.5% of all UTXO outputs but just 0.74% of the total supply of the first cryptocurrency.

A quantum computer could recover private keys at scale and infer which addresses belong to the same person. Deloitte analysts estimate that roughly 25% of all bitcoins are already potentially exposed to quantum analysis. The Chaincode Labs study expands the range to 20–50% of coins in circulation (4–10m BTC). This bucket includes:

• old UTXOs with exposed keys (P2PK);
• lost coins at known addresses;
• hundreds of thousands of bitcoins at addresses with revealed keys due to reuse.

Large holders—exchanges and custodians—have often kept funds at the same addresses. That concentrates vast sums on single keys, making them priority targets for quantum attacks.

How to protect privacy now

Quantum compromise threatens to expose Bitcoin’s history retrospectively, so users should think about transaction privacy in advance. It is impossible to eliminate HNDL without migrating to new algorithms. But reducing on-chain links will complicate analysis. To do so:

• do not reuse addresses. Generate a new address for each payment received. Reuse causes different inputs to be combined and easier to link to you. On a subsequent spend, the public key will also be revealed and become potentially vulnerable to quantum attack;
• break transactional links. Avoid situations where the whole “sender–recipient” chain is obvious to an outside observer. If you are moving funds between your own wallets, or making a payment you would prefer to keep anonymous, consider using bitcoin mixers.

For example, Mixer.Money lets you receive bitcoins at new addresses that are not linked on-chain and without the need to pass KYC. The service splits a user’s coins into parts and sends them to exchanges. After a randomly selected interval (to thwart timestamp analysis), the user receives the same amount (minus a fee), but from other exchanges and different investors.

This severs links between the original transaction and the final recipient. A third-party analyst sees on-chain that funds arrived from many addresses with no obvious tie to the sender. In essence, Mixer.Money hampers both classical on-chain analysis and any future quantum analysis of transaction histories.

“Try not to reveal your identity by linking it to addresses. Do not send bitcoins directly from an anonymous wallet to an exchange where identity verification has been completed. It is better to withdraw funds via a mixer. Do not publish publicly the addresses you use. Do not share your wallet’s extended public key (xpub) — these data can be analysed both now and retrospectively,” add the team at Mixer.Money.

The less information about your transactions is tied to you or consolidated, the harder it will be to piece together when the quantum era arrives.

A quantum transition without KYC

The Fed’s study highlights less obvious privacy facets that matter to anyone aiming to remain anonymous on Bitcoin over the long term.

The ecosystem is gradually preparing for post-quantum cryptography. Proposals such as BIP-360 are emerging to migrate to new addresses. Experts are debating the timing of “Q Day” and migration paths.

For ordinary users, one point is crucial: the quantum threat is not merely theoretical but a practical risk that grows over time. The sooner you take measures to protect privacy on the Bitcoin network, the better.