Researcher Cracks 15-Bit ECC Key on Quantum Computer — Is Bitcoin at Immediate Risk?

On April 24, 2026, a story broke that sent ripples through the cryptocurrency world. Independent researcher Giancarlo Lelli broke a 15-bit elliptic curve cryptography (ECC) key on publicly accessible quantum hardware, a demonstration 512 times larger than the previous public record set in September 2025. The achievement earned him the coveted Q-Day Prize: exactly 1 Bitcoin, worth approximately $78,000 at the time of the award.

Project Eleven awarded the bounty on April 24, 2026, and described the result as the largest public demonstration of a quantum attack on elliptic curve cryptography to date. The winning attack used a machine with about 70 qubits and ran in minutes once developed.

The announcement sent shockwaves through the cryptocurrency and cybersecurity communities. Headlines blared about Bitcoin being ‘cracked.’ Social media filled with either panic or dismissal. 

The truth, as usual, lies somewhere in between and understanding it requires examining both what actually happened and what it means for the road ahead.

What Is ECC and Why Does It Matter to Bitcoin?

Elliptic Curve Cryptography is the mathematical backbone of Bitcoin’s security model. Elliptic curve cryptography is the math that lets a crypto wallet prove it controls funds without revealing its private key. A public key can be visible to everyone, but deriving the corresponding private key is supposed to be impossible in practical terms.

The attack targeted the Elliptic Curve Discrete Logarithm Problem, or ECDLP. This is the mathematical relationship that makes it possible to generate a public key from a private key but computationally impossible to reverse the process using classical computers. Every time you send Bitcoin, your wallet signs the transaction with your private key and broadcasts the corresponding public key. If someone can solve ECDLP for your public key, they have your private key and they have your coins.

The method used to crack the key was a quantum variant of Shor’s algorithm. Shor’s algorithm allows quantum computers to efficiently factor integers, which is critical to breaking ECC encryption. First proposed theoretically in 1994, Shor’s algorithm has long been known as the existential threat to modern public-key cryptography, but for decades it remained purely theoretical on hardware that didn’t yet exist.

What Lelli Actually Did — And What It Means 

The Q-Day Prize was launched in 2025 and named after the hypothetical date a sufficiently powerful quantum computer could break modern cryptography.

It was designed to test whether publicly available quantum systems could move beyond one of the field’s most common criticisms: that current machines have only demonstrated trivial calculations, such as factoring the number 21 into 3 and 7. Lelli’s result expanded that capability to a 15-bit elliptic curve problem with 32,767 possible values.

Lelli implemented a two-register variant of Shor’s algorithm on IBM Quantum cloud hardware, targeting elliptic curves of the form used in Bitcoin’s secp256k1 standard. The circuit ran across multiple IBM Heron r2 processors, including ibm_torino and ibm_fez, and relied on techniques designed for noisy intermediate-scale quantum devices. 

Project Eleven described the result as the largest public demonstration of a quantum attack on ECC to date, with CEO Alex Pruden warning that ‘the resource requirements for this type of attack keep dropping, and the barrier to running it in practice is dropping with them.’

The Q-Day Prize itself was launched in 2025 with a specific purpose: to test whether publicly available quantum systems could move beyond one of the field’s most common criticisms that current machines have only demonstrated trivial calculations, such as factoring the number 21 into 3 and 7. Lelli’s result, on its surface, appeared to answer that challenge. 

Critics Slam Quantum Bitcoin Break as Statistically Meaningless

Within hours of the prize being awarded, the Bitcoin developer community hit back hard. Former Bitcoin Core maintainer Jonas Schnelli published an analysis of the quantum circuit Lelli had used, writing that the IBM computer produced output ‘statistically indistinguishable from repeated coin flips,’ meaning the output carried no deterministic signature attributable to the quantum computation. 

To prove it, he reproduced the entire 15-bit key recovery with a Python script of about twenty lines that uses only random bits, obtaining the exact same result.

The critique didn’t stop there. Researcher Yuval Adam tested the method by forking the winning repository, removing the calls to IBM Quantum, and replacing them with random bytes from /dev/urandom – only to find that every recovered key was byte-identical to what Lelli had reported. The result suggested the system did not rely on quantum computation at all, instead functioning as a probabilistic process that accepts random guesses satisfying a classical verification step.

Project Eleven’s X post announcing the milestone now carries a Community Notes fact check, stating that the approach used to recover the 15-bit ECC key depends on classical verification of outputs indistinguishable from random noise, effectively amounting to classical guessing. In plain terms: the quantum computer may not have done meaningful quantum work. 

The key was small enough, just 32,767 possible values, that repeated classical guesses could find it anyway. The quantum hardware, critics argue, was along for the ride. 

Google’s Craig Gidney Piles On

Perhaps the most authoritative rebuke came from Craig Gidney, a research scientist on Google’s quantum computing team. In an April 25 blog post titled ‘The predictable failure of the QDay Prize,’ Gidney argued that the winning submission did not meaningfully demonstrate progress toward a cryptographically relevant quantum attack, and that the contest was structured around a benchmark that current quantum computers are poorly suited to measure.

Gidney’s central objection was technical: Shor’s algorithm requires quantum error correction to work meaningfully at cryptographic scale, and the current generation of hardware simply doesn’t have it. He had declined an invitation to participate in the prize last year, viewing the premise as flawed from the start. 

Project Eleven’s CEO Alex Pruden later acknowledged the criticism, conceding that ‘small factoring problems are a very imperfect yardstick for Q-Day,’ while defending the competition as an effort to bridge the gap between theoretical quantum risk and public awareness.

According to Adam Back, security protocol work is grounded in honesty, self-critique, and peer review. The priority is objective security, not perception. That focus often comes at the expense of marketing, but in this field, correctness matters more than promotion. 

So Is Bitcoin Safe? The Honest Answer

Lelli’s result does not mean Bitcoin is close to being cracked. Bitcoin uses 256-bit elliptic curve security. A 15-bit key has a search space of 32,767 possibilities, tiny by comparison. The gap between where quantum computing stands today and where it needs to be to threaten Bitcoin is not a gap that can be crossed overnight, or even in a few years with current trajectories.

The distance from 15 bits to 256 bits represents a factor of 2 to the power of 241 in computational difficulty. Even optimistic recent research, including a Google paper published in April 2026, estimates that breaking 256-bit ECC would require fewer than 500,000 physical qubits, a threshold that current quantum hardware falls far short of. Today’s best machines operate in the range of 1,000 to 1,500 qubits, most of which are too noisy for sustained cryptographic computation. 

That said, the broader trajectory of quantum research does deserve serious attention. Quantum attacks on ECC have moved from theory to practice over the last seven months: Steve Tippeconnic’s 6-bit demonstration in September 2025 was the first public break on quantum hardware, and Lelli’s 15-bit result extends it by a factor of 512. 

Theoretical resource estimates for a full 256-bit attack have fallen sharply over the same period, with a paper from Caltech and Oratomic bringing the estimated qubit requirement as low as 10,000 in a neutral-atom architecture. The direction of travel is clear, even if the destination remains distant. 

Which Bitcoin Wallets Are Actually Vulnerable?

Not all wallets face the same risk, and understanding the distinction is crucial for anyone holding Bitcoin.

The quantum threat specifically targets addresses where the public key is already visible on the blockchain. When you receive Bitcoin to an address and never spend from it, only the hash of your public key is exposed. Hashing provides an additional layer of protection because even a working ECDLP attack cannot reverse a hash.

Your coins are safe as long as the public key stays hidden. But the moment you spend from an address, your full public key gets broadcast to the network as part of the transaction signature.

This means two categories of addresses are at heightened risk if a cryptographically capable quantum computer ever arrives:

• Re-used addresses: Wallets that have both received and sent Bitcoin, meaning the public key is permanently on-chain and available for analysis.
• Early Bitcoin addresses: Those belonging to Bitcoin’s pseudonymous creator. Project Eleven estimates roughly 6.9 million Bitcoin sit in such addresses, about one-third of total supply, including Satoshi Nakamoto’s estimated 1 million Bitcoin untouched since the network’s earliest years.

If Q-Day ever arrives, those exposed wallets could be drained silently and systematically. The attacker wouldn’t need to brute-force every wallet – they could cherry-pick the largest exposed balances first.

Quantum Threat to Bitcoin Grows as 6.9M BTC Face Potential Exposure

Despite the controversy around this specific result, the underlying concern is legitimate. Roughly 6.9 million Bitcoin sit in wallets whose public keys are visible on-chain, exposing them to a quantum attack if and when a sufficiently powerful machine arrives. Every time a Bitcoin transaction is broadcast, the public key is temporarily exposed, creating a narrow but real window of theoretical vulnerability.

The debate this episode has sparked, between physicists who see quantum computing accelerating rapidly and cryptographers who demand rigorous empirical benchmarks before abandoning proven classical security, is not just academic. It shapes the urgency with which the industry pursues post-quantum cryptographic standards. 

The US National Institute of Standards and Technology has already finalized several post-quantum algorithms, and Bitcoin developers are beginning to explore upgrade pathways, though no timeline for migration has been set.

FAQs

About the Author

Onkar Singh

Onkar Singh has three years of experience as a digital finance content creator. Throughout his career, he has collaborated with various DeFi projects and crypto media outlets. In his leisure time, he enjoys fitness activities at the gym and watching movies across different genres. Balancing his professional and personal interests, Onkar continues to contribute to the digital finance landscape while pursuing his hobbies.

[email protected]