Bitcoin has always operated on a simple, almost sacred premise: if you hold the private key, you own the coins. No government, no bank, no developer team can touch them. That promise is now being questioned from within, and the debate it has triggered cuts straight to the heart of what Bitcoin actually is.

 

Casa CTO Jameson Lopp and five co-authors formally published BIP-361 to Bitcoin's official GitHub repository on Tuesday. The proposal, titled "Post Quantum Migration and Legacy Signature Sunset," outlines a three-phase plan to migrate coins off quantum-vulnerable addresses. Wallets that do not migrate within the designated window would have their funds frozen at the consensus layer, meaning the network itself would prevent any movement of those coins. A bit frightening and something this author never thought he would be writing about. Bitcoin freezing coins. A very slippery slope.

 

What Is Actually at Risk

Roughly 34% of all Bitcoin in circulation sits in early Pay-to-Public-Key addresses where the public key is fully exposed on-chain. That includes what most analysts believe to be Satoshi Nakamoto's estimated 1.1 million BTC, worth around $74 billion at current prices. Zoom out further and Lopp estimates that approximately 5.6 million Bitcoin, worth somewhere in the range of $420 billion, has not moved in over a decade and is likely lost.

 

The cryptographic concern here is real, even if the timeline is still fuzzy. Bitcoin's current security relies on elliptic curve math. A sufficiently powerful quantum computer running Shor's algorithm could theoretically work backward from an exposed public key to derive the private key, handing an attacker complete control of the wallet. Google flagged 2029 as a plausible threat horizon in a recent report, warning that quantum progress may be "closer than may appear."

 

The more immediate concern Lopp is raising is not technical, it is psychological. "If there is any credible evidence that anyone has the capability to recover lost or vulnerable coins with a quantum computer, you should expect a massive market panic immediately," he told CoinDesk. "It doesn't even require a massive market dump." Rational holders, he argued, would exit the system before confidence in the blockchain can be restored.

 

How BIP-361 Would Actually Work

The proposal is structured in three phases that only kick off after a companion proposal, BIP-360, is activated. BIP-360, which introduces quantum-resistant address types via a new pay-to-Merkle-root transaction format, entered testnet implementation through BTQ Technologies in early 2026.

 

Phase A would arrive roughly three years after BIP-360 activation. At that point, wallets would be blocked from sending new funds to legacy address types. Users could still move coins out of vulnerable addresses, but nothing could flow in. Phase B arrives two years after that, invalidating all legacy signatures at the consensus level. Any Bitcoin still sitting in unmigrated addresses at that point becomes effectively frozen and unspendable under network rules.

 

Phase C, still under research, would offer a last-resort recovery mechanism. Using zero-knowledge proofs tied to a BIP-39 seed phrase, holders who missed the deadline could potentially prove ownership of frozen funds without ever exposing a private key. That said, no activation timeline has been set, and the proposal remains in draft status.

 

Even the Author Says He Does Not Want This to Happen

Lopp has been unusually candid about his own ambivalence. In a post to X after the proposal dropped, he wrote: "I know folks don't like BIP-361. I don't like it myself. I wrote it because I like the alternative even less." He told Cointelegraph separately that the proposal is "a rough sketch" and is "not currently in a position to be adopted." He is, in his own framing, thinking adversarially about a potential future threat rather than lobbying for immediate change.

 

He has used stronger language in the past. In a blog post from early 2025, Lopp described quantum computer operators recovering dormant coins as "vampires feeding upon the system," arguing they trade nothing of value and simply extract from an ecosystem they did not build.

 

The Community Is Pushing Back Hard

The response from the Bitcoin community has been swift and, in many corners, hostile. Bitcoin Magazine editor Brian Trollz rejected the proposal outright. TFTC founder Marty Bent called it "laughable." Phil Geiger of Metaplanet put it bluntly: "We have to steal people's money to prevent their money from being stolen."

 

Frederic Fosco, co-founder of Bitcoin metaprotocol OP_NET, told Decrypt the proposal turns Bitcoin's founding promise on its head. A protocol-enforced freeze "is confiscation, full stop," Fosco said. "The second you cross that line, you've built a system that can freeze any coins for any reason deemed important enough by whoever controls the next soft fork."

 

Blockstream CEO Adam Back, speaking at Paris Blockchain Week on Wednesday, staked out a different path. He argued that Bitcoin should start adding optional quantum-resistant features now, while leaving any forced migration decisions to the future. Back suggested Bitcoin's rough-consensus governance has historically been capable of rapid emergency coordination, pointing out that critical bugs have been patched within hours when the threat was real and visible.

 

The divide is real and it is not going away. On one side sits a developer community that wants to get ahead of a threat that could, if realized, crater confidence in the largest cryptocurrency on earth. On the other side are holders and advocates who see any network-enforced freeze, however well-intentioned, as a precedent that fundamentally rewrites what Bitcoin is. BIP-361 has no activation timeline and depends on a separate proposal that has not yet been adopted. But the conversation it has forced is one Bitcoin will eventually have to finish.