Secret harvesters: why quantum computers threaten Bitcoin privacy
In September 2025, the U.S. Federal Reserve released an analytical paper exploring a concept known as Harvest Now, Decrypt Later (HNDL). The strategy is simple yet deeply concerning: scammers can collect encrypted data today, with the intention of decrypting it in the future once quantum computers become powerful enough to break modern cryptographic protections.
The paper used Bitcoin as a primary example, examining how this threat could impact blockchains that rely on conventional cryptographic techniques. The findings were sobering. Even if post-quantum encryption methods are adopted promptly, they cannot safeguard the vast amount of historical blockchain data — because, by design, that data is immutable and permanent.
The implications are clear: the emergence of quantum computing could expose not only individual wallets but also the entire historical record of Bitcoin transactions, revealing connections that were once thought private.
How the HNDL attack works
The mechanics of the HNDL approach are straightforward. Attackers copy databases and encrypted information long before they have the computational means to decrypt them. Once a cryptoanalytically relevant quantum computer (CRQC) exists, it could crack cryptographic keys at speeds impossible for classical computers.
In Bitcoin’s case, the risk lies in the potential to derive private keys from public ones — something currently infeasible with classical hardware. A sufficiently powerful quantum machine could therefore unlock private wallets, reconstruct transaction histories, and expose user identities through address-linking.
The Federal Reserve’s analysis emphasized that even proactive deployment of post-quantum algorithms won’t protect already-recorded data. Once public keys have been revealed on-chain, those records remain visible forever — leaving past transactions vulnerable to future decryption.
Vulnerabilities across Bitcoin address types
Bitcoin addresses differ in how much information they reveal, and this determines their level of vulnerability to quantum attacks.
- Pay-to-Public-Key (P2PK):
In these early addresses, the public key itself acts as the receiving address. Many of Bitcoin’s earliest coins — including roughly one million BTC attributed to Satoshi Nakamoto — use this format. Since their public keys are already exposed, they represent “long-range” targets for future quantum attacks. - Pay-to-Public-Key-Hash (P2PKH):
This format stores only the hash of the public key, keeping it hidden until the coins are spent. However, once a transaction occurs, the public key becomes visible on the blockchain. Any subsequent quantum breakthrough could allow attackers to derive the private key from that exposed data. - SegWit (bc1q) Addresses:
SegWit follows the same principle as P2PKH — safe until the first spend, after which the public key is exposed. - Taproot (bc1p) Addresses:
Taproot introduces a slightly different model, embedding a shortened version of the public key similar to early P2PK addresses. As of early 2025, Taproot outputs represented over 30% of all unspent transaction outputs (UTXOs), but less than 1% of the total circulating Bitcoin supply.
Analyses from blockchain research groups suggest that between 20% and 50% of all existing bitcoins — roughly 4 to 10 million BTC — could already be vulnerable to quantum analysis. This includes old unspent coins, lost coins with known addresses, and holdings at reused or publicly visible addresses. Large institutional wallets, such as those used by exchanges and custodians, often consolidate funds under single addresses — concentrating enormous sums behind individual private keys that could one day become prime targets.
Steps to strengthen privacy before the quantum era
The prospect of quantum decryption creates a retrospective privacy risk for all blockchain users. While it is impossible to eliminate the HNDL threat entirely without migrating to post-quantum algorithms, individuals can take several practical steps to reduce their exposure and make on-chain analysis more difficult:
- Avoid address reuse.
Generate a new address for every incoming payment. Reusing addresses links multiple transactions together, making it easier to trace ownership and connect wallets. - Break transactional links.
When transferring funds between personal wallets or to third parties, structure transactions in a way that minimizes direct “sender–recipient” visibility. Avoid patterns that allow observers to easily correlate inputs and outputs. - Reduce identifiable footprints.
Do not publicly share wallet addresses or extended public keys (xpubs), as they can be used to map out entire transaction histories. Minimize interactions between anonymous wallets and exchanges that require identity verification. - Monitor advancements in post-quantum solutions.
Stay informed about developments in post-quantum cryptography and migration proposals. Early adoption will be critical to maintaining privacy once quantum-resistant tools become widely available.
The less personal or structural information is tied to a user’s on-chain activity, the harder it will be for future quantum analysis to reconstruct ownership patterns or transaction flows.
Preparing for a quantum transition
The global Bitcoin ecosystem is slowly beginning to adapt to the coming shift. Proposals like BIP-360 explore the migration to quantum-resistant address schemes, and researchers continue to debate timelines for what they call “Q Day” — the moment when quantum computers achieve practical decryption capabilities.
While that day has not yet arrived, the risk is not hypothetical. Each passing year brings quantum computing closer to the point where today’s encryption methods could be compromised.
For Bitcoin users, protecting privacy and security now is not just prudent — it is essential. The sooner funds and practices migrate toward quantum-resilient models, the better the chances of preserving financial sovereignty in the next era of computing.
