The Attack That Does Not Need a Quantum Computer to Start
The standard framing of the quantum threat to blockchain goes like this: one day, a sufficiently powerful quantum computer will arrive, and at that point, elliptic-curve cryptography will break. The solution is to migrate before that day comes.
This framing is operationally wrong. It assumes the attack begins when the decryption hardware becomes available. Nation-state intelligence agencies have understood for more than a decade that the harvest phase of the attack is entirely separable from the decryption phase, and the harvest is happening right now.
The harvest now, decrypt later (HNDL) strategy is documented, operational, and specifically well-suited to blockchain. Understanding exactly what is being collected, by whom, and why Bitcoin's architecture makes it a particularly attractive target changes the risk calculus entirely. The 6.9 million BTC sitting in addresses with exposed public keys is not a future problem. Those keys are almost certainly already in adversary databases.
What Nation-States Are Actually Collecting
Three categories of blockchain data are valuable to HNDL collection operations. Each has different properties in terms of collection difficulty, storage cost, and future exploit value.
Transaction Graphs and Address Clustering
The full transaction history of any public blockchain is freely downloadable. As of mid-2026, the Bitcoin blockchain totals roughly 650 gigabytes. The Ethereum blockchain, including state, is larger, but the transaction record itself compresses substantially. Archiving these datasets costs almost nothing relative to the potential future value of the public keys embedded in them.
Transaction graphs are more valuable than raw blockchain dumps. By applying chain analysis techniques to the raw data, well-resourced actors can construct rich address clustering models that group addresses controlled by the same entity, trace fund flows across hops, and identify the on-chain footprint of exchanges, custodians, and high-value wallets. Nation-state agencies have both the computational resources and the motivation to run these analyses at scale.
The intelligence value of transaction graphs does not depend on breaking cryptography. But the cryptographic data embedded in those transactions, specifically the public keys attached to every spending output, is what becomes exploitable the moment sufficient quantum hardware exists.
Exposed Public Keys from Spent Addresses
Every time a Bitcoin address spends, it publishes its public key. This is not a bug; it is a design feature of how ECDSA signatures work. The signature that authorizes the spend mathematically reveals the public key, which is then permanently recorded in the blockchain. Anyone who archives the blockchain has, by definition, archived every public key that has ever been used to authorize a Bitcoin spend.
The same applies to Ethereum. Every transaction signed by an externally owned account publishes the signer's public key in the transaction data. Ethereum's account model actually creates a more systematic exposure than Bitcoin's UTXO model, because accounts are long-lived and the same key is reused across every transaction from that account.
For an adversary running Shor's algorithm, a public key is the only input required to derive the corresponding private key. The algorithm does not need the encrypted data, the signature, or any auxiliary information. It needs exactly one thing: the 33-byte compressed public key that Bitcoin has been publishing in every spending transaction since 2009.
Encrypted Off-Chain Channel Data
Lightning Network channels, state channels, and other off-chain payment constructions introduce a third collection surface. Channel opening and closing transactions are on-chain and expose public keys directly. But the encrypted gossip traffic between Lightning nodes, which includes routing hints, channel announcements, and payment probes, is transmitted over authenticated, encrypted connections that are themselves protected by classical cryptography.
For an adversary running a passive collection operation on internet backbone infrastructure, this gossip traffic is a harvest target. Today, the traffic is opaque. Once quantum hardware arrives, the session keys protecting those connections become recoverable, and the traffic becomes readable. This matters not just for payment privacy but for mapping the topology of off-chain networks, identifying high-value routing nodes, and reconstructing payment flows that were never intended to appear on the public chain.
The Intelligence Programs Running This Collection
The operational reality of HNDL at nation-state scale is documented through a combination of leaked documents, academic research, and public intelligence community disclosures. Three programs are particularly relevant.
NSA XKeyscore and Upstream Collection
XKeyscore is the NSA's primary tool for searching and analyzing internet data collected through its upstream tapping operations on fiber-optic cables. Documents disclosed by Edward Snowden in 2013 confirmed that XKeyscore provided analysts with near-real-time access to internet traffic content, including the ability to search by protocol, content type, and cryptographic parameters.
Upstream collection programs, operating under Section 702 of the Foreign Intelligence Surveillance Act and its predecessors, give the NSA access to internet traffic at the physical infrastructure level. Bitcoin's peer-to-peer protocol traffic, including raw transaction broadcasts and block propagation, passes over this infrastructure. Collection at this layer captures not just the on-chain data but the full context of how transactions are constructed and transmitted, including the network identifiers of originating nodes.
Whether the NSA has specifically built HNDL archives of blockchain data is not publicly confirmed. But the infrastructure for doing so exists and is operational. The marginal cost of adding blockchain transaction streams to existing collection pipelines is near zero.
GCHQ Tempora and Mastering the Internet
GCHQ's Tempora program, also disclosed in the Snowden documents, operated through direct taps on undersea fiber-optic cables landing in the United Kingdom. At its documented peak, Tempora was collecting and storing 21 petabytes of data per day, with a rolling buffer that kept content for three days and metadata for thirty.
The program's internal codename for its ambition was "Mastering the Internet." In the context of blockchain HNDL, the relevant capability is the bulk collection of encrypted traffic passing through UK-based internet infrastructure, which includes substantial volumes of Bitcoin and Ethereum node traffic given the concentration of financial services and technology infrastructure in London.
Tempora-class collection captures the public key material in Bitcoin transaction broadcasts at the network level, before it even settles on the blockchain. For HNDL purposes, this creates a collection redundancy: adversaries with access to both on-chain archives and backbone traffic captures have multiple independent sources of the same public key material.
Chinese Ministry of State Security Programs
The Chinese Ministry of State Security operates collection programs whose capabilities are less publicly documented than NSA and GCHQ operations, but whose ambition is well-established through incident reports, indictments, and intelligence community assessments. China's Golden Shield project and its successors give the MSS deep visibility into internet traffic transiting Chinese infrastructure, and China's position as a major hub for Bitcoin mining through 2021 gave MSS-aligned collectors unique proximity to the Bitcoin network's peer-to-peer traffic.
More directly relevant is China's documented national quantum computing investment program. China has invested more than $15 billion in quantum research since 2016 according to public estimates, with a specific policy emphasis on cryptographically relevant applications. The combination of aggressive collection infrastructure and a leading-edge quantum hardware program represents exactly the threat model that HNDL defenders need to plan against: an adversary that is simultaneously building the harvest and accelerating toward the decryption capability.
Chinese state actors have also been identified in multiple indictments and attribution reports as specifically targeting cryptocurrency exchange infrastructure, blockchain analytics firms, and wallet providers. The intelligence value of infiltrating these systems includes not just trading data but the mapping of on-chain identities to real-world individuals, which transforms a future quantum decryption capability into a targeted financial weapon rather than just a broad capability.
Bitcoin's UTXO Set as a Ready-Made Harvest Target
Bitcoin's Unspent Transaction Output model is architecturally elegant for many reasons, but it creates a specific property that is maximally convenient for HNDL collection: the current UTXO set is a compact, structured database of exactly the information a quantum attacker needs.
The UTXO set contains every unspent output on the Bitcoin network, including the locking scripts that specify the conditions under which each output can be spent. For Pay-to-Public-Key-Hash outputs, the locking script contains the hash of the public key, not the public key itself. But for Pay-to-Public-Key outputs, a format used extensively in early Bitcoin transactions and still present in the UTXO set, the locking script contains the raw public key directly.
More importantly, the combination of the UTXO set and the transaction history provides a complete record of every public key that was ever used to authorize a spend from any output that still holds value. An adversary does not need to process the entire blockchain to build their attack database. They can start with the current UTXO set, identify all outputs whose public keys have been exposed through prior spending activity, and produce a targeted list of high-value addresses to attack when quantum hardware is available.
This is the basis for the 6.9 million BTC exposure figure. Research by organizations including the Bitcoin Policy Institute and academic groups at the University of Sussex has estimated that approximately 6.9 million BTC sit in addresses whose public keys are already publicly recorded, either through Pay-to-Public-Key output formats or through prior spending activity from reused addresses. At any given Bitcoin price, this represents a target pool worth hundreds of billions of dollars, all of whose cryptographic material is already in the public record.
An adversary building an HNDL archive does not need to monitor the network. They need to download one file: the UTXO set dump, which the Bitcoin Core software produces by default and which is widely distributed as a convenience for new node operators. The entire harvest target for Bitcoin's most exposed funds fits in a few gigabytes. For a nation-state with petabyte-scale storage infrastructure, this is a rounding error.
Why the 6.9 Million BTC Figure Is Already in Adversary Databases
The assertion that adversary databases already contain the data needed to attack exposed Bitcoin addresses is not a speculative claim. It follows directly from the structure of the attack.
The Bitcoin blockchain is public. The UTXO set is public. The transaction history is public. Every piece of data needed to identify which addresses are vulnerable and what public keys protect them is openly available to anyone with an internet connection. There is no interception required, no insider access needed, and no covert operation necessary to build this database.
Given that: any organization with a long time horizon and basic technical capability that has not already built this archive is leaving value on the table. Nation-states with quantum computing programs have both the time horizon and the technical capability. Criminal organizations that understand the HNDL concept have the motivation. Well-resourced private actors betting on quantum timelines have the financial incentive.
The question is not whether adversary HNDL databases of Bitcoin public keys exist. The more defensible assumption is that they do, held by multiple independent actors, and that the race is now entirely about whether Bitcoin addresses migrate to quantum-resistant formats before sufficient quantum hardware arrives to process those databases.
As explained in our analysis of how many qubits are needed to break Bitcoin, that hardware threshold is not fixed. Algorithmic improvements in Shor's algorithm implementation continue to reduce the qubit count required, and nation-state programs may be operating with hardware capabilities that are not publicly disclosed.
The Encrypted Channel Data Problem Is Underappreciated
The focus on on-chain public keys, while justified, can obscure a second collection surface that is growing in importance as blockchain networks build out off-chain infrastructure.
Layer-2 payment channels, cross-chain bridges, and oracle networks all involve encrypted peer-to-peer communication between nodes. This communication is typically protected by classical key exchange protocols, TLS variants, or Noise protocol framework implementations. All of these are vulnerable to HNDL collection for the same reason blockchain transaction data is: the session establishment handshakes involve public keys, the traffic is being collected by infrastructure-level surveillance programs, and a future quantum computer running Shor's algorithm will be able to derive the session keys and decrypt the stored traffic.
For Lightning Network specifically, this creates a privacy problem that does not exist for on-chain Bitcoin: payment flows that were never meant to be visible on-chain may become readable retroactively once their protecting session keys are broken. The privacy guarantees of off-chain channels assume that the encryption protecting channel traffic is computationally irreversible. That assumption fails under a quantum adversary with archived traffic.
QuanChain's three-channel architecture addresses this by ensuring that all inter-node communication is protected by post-quantum cryptographic primitives at the transport layer, not just the transaction layer. The goal is that traffic archived today by XKeyscore or Tempora-class collection systems remains cryptographically opaque even when processed by future quantum hardware.
What Structural Immunity Requires
Defending against HNDL at the blockchain layer requires more than adopting post-quantum signature schemes for future transactions. It requires addressing the three collection surfaces simultaneously: the on-chain public key record, the live transaction broadcast traffic, and the off-chain communication channels.
On-chain, the only complete solution is ensuring that public keys are never recorded on the blockchain at all. TADEQS achieves this by locking value against address hashes rather than public keys, and rotating the underlying key material atomically with each spend through the SpendAndRotate mechanism. An adversary archiving QuanChain's blockchain history captures address hashes, which are one-way functions of the underlying public keys. Without the public key, Shor's algorithm has no input to work with.
For broadcast traffic, post-quantum key encapsulation mechanisms in node-to-node communication protocols ensure that session keys protecting transaction broadcasts cannot be recovered by a future quantum adversary processing archived traffic. This is what NIST's post-quantum standards, specifically CRYSTALS-Kyber for key exchange, are designed to provide.
For off-chain channels, the same key encapsulation standards applied at the transport layer protect archived channel traffic against future quantum decryption. This requires not just that the endpoints support post-quantum key exchange, but that the network protocol mandates it, so that there is no fallback to classical key exchange that a collecting adversary could exploit by downgrading the connection.
Understanding the full scope of what post-quantum cryptography actually covers makes clear that signature schemes alone are insufficient. Key exchange, transport security, and on-chain data minimization all need to be addressed together.
The Regulatory and Compliance Dimension
For institutions holding blockchain assets or building blockchain infrastructure, the HNDL threat is not just a technical problem. It is increasingly a compliance and governance problem.
NIST and CISA have both issued guidance citing HNDL as a present operational threat requiring immediate migration planning. The OMB memo directing federal agencies to inventory cryptographic systems identified HNDL specifically as the mechanism making the threat current rather than future. Financial regulators in the EU, UK, and Singapore have begun incorporating quantum migration timelines into cybersecurity supervisory frameworks.
An institution that holds significant value in Bitcoin or Ethereum addresses with exposed public keys, and that has not assessed and documented its quantum migration strategy, is increasingly exposed not just to future theft but to present regulatory scrutiny. The argument that the quantum threat is a future problem is not available to a chief risk officer who has read the CISA and NIST guidance and knows that the harvest is happening now.
The QuanChain Quantum Threat Calculator can help institutions model their specific exposure window based on their holdings, address types, and assumptions about quantum hardware progress. But the starting point for any honest assessment is accepting that the data collection phase of this attack is not pending. It is complete.
Frequently Asked Questions
Are XKeyscore and Tempora specifically known to collect blockchain data?
The disclosed Snowden documents describe XKeyscore and Tempora as bulk collection systems that capture internet traffic at the infrastructure level, with selection and storage driven by analyst queries and automated rules. Neither program is documented as having specific blockchain collection directives in the disclosed materials. However, Bitcoin's peer-to-peer protocol operates over standard TCP/IP and would be captured by any bulk collection system monitoring internet backbone traffic. The absence of a documented blockchain-specific program does not mean blockchain traffic is not collected; it means that collection would occur as a matter of course under existing bulk collection authorities without requiring a dedicated program.
How does the Chinese quantum computing investment program affect the HNDL timeline?
China's publicly documented quantum computing investment exceeds $15 billion since 2016, with significant national laboratory programs working on fault-tolerant quantum architectures. If Chinese quantum hardware development is running significantly ahead of publicly disclosed Western systems, the decryption phase of HNDL attacks could arrive sooner than consensus estimates suggest. The combination of aggressive collection infrastructure and a leading-edge quantum program in a single adversary represents the most compressed threat timeline. It does not change what data has already been collected; it compresses the window before that data becomes exploitable.
Does using a hardware wallet or cold storage protect against HNDL attacks on Bitcoin?
Cold storage and hardware wallets protect against classical private key theft. They do not protect against HNDL attacks on addresses whose public keys are already in the blockchain record. If you have ever spent from an address, the public key that authorizes spending from it is permanently recorded on-chain, regardless of where the private key is stored. A hardware wallet holding a private key corresponding to a publicly recorded public key is still vulnerable to a quantum adversary who derives the private key from the public record using Shor's algorithm. The protection offered by cold storage addresses the threat model of classical key compromise, not the threat model of quantum key derivation from public data.
Which cryptocurrencies are most exposed to HNDL-based quantum attacks?
Bitcoin and Ethereum have the largest exposure in absolute terms because of their market capitalization and their long transaction histories generating large quantities of exposed public keys. The vulnerability landscape across cryptocurrencies varies by address format, key reuse patterns, and the prevalence of early transaction types. Bitcoin's Pay-to-Public-Key outputs from the early years represent the most immediately vulnerable pool, followed by any address on any chain that has a history of spending transactions. Networks built from scratch with post-quantum primitives and public key minimization, like QuanChain, have no historical exposure to harvest because the exploitable data was never recorded in the first place.
What is the difference between on-chain and off-chain HNDL exposure for blockchain?
On-chain HNDL exposure consists of public keys permanently recorded in the blockchain history, which are available to anyone who downloads the chain. Off-chain HNDL exposure consists of encrypted communication traffic between nodes, including Lightning Network gossip, channel state updates, and cross-chain bridge messages, which is collected by infrastructure-level surveillance programs and requires future quantum hardware to decrypt. On-chain exposure is static: the data that exists today is the data that will be attacked. Off-chain exposure grows continuously as new encrypted traffic is generated and collected. Both require post-quantum defenses, but the architectural solutions are different: key minimization and hash-based commitments for on-chain, and post-quantum key encapsulation for transport-layer communications.
