Giancarlo Lelli is an independent researcher. He did not work at a national laboratory. He did not have access to a proprietary quantum chip. He used publicly accessible cloud-based quantum hardware, the same infrastructure available to any motivated researcher with a credit card and a few hours of curiosity, and he derived a private encryption key from its public counterpart across a search space of 32,767.
For that, Project Eleven awarded him 1 Bitcoin worth approximately $78,000.
The key he broke was 15 bits. Bitcoin uses 256-bit keys. Those two numbers need to be held in mind simultaneously to understand what happened yesterday and what it means.
What Lelli Actually Did
Elliptic curve cryptography is the mathematical foundation underneath every Bitcoin wallet. When you sign a transaction, you are proving you control funds without revealing your private key. The security assumption is that deriving a private key from a public key is computationally impossible in any practical timeframe using classical computers.
Shor’s algorithm, first proposed in 1994, challenges that assumption on quantum hardware. It attacks the Elliptic Curve Discrete Logarithm Problem, the specific math underlying Bitcoin’s signature scheme, exponentially more efficiently than any classical approach. On a sufficiently powerful quantum computer, Shor’s algorithm could derive a private key from a visible public key and drain the wallet.
The question has always been what “sufficiently powerful” actually means in practice and when that threshold gets crossed.
Lelli’s result is the most concrete answer yet. In September 2025, engineer Steve Tippeconnic broke a 6-bit elliptic curve key using IBM’s 133-qubit quantum computer, the first public demonstration of this attack class on real quantum hardware. Lelli extended that by a factor of 512 in seven months. Six bits to 15 bits. On hardware anyone can rent.
“The resource requirements for this type of attack keep dropping, and the barrier to running it in practice is dropping with them,” Project Eleven CEO Alex Pruden said. He emphasized the significance of the hardware used. No national lab. No private chip. Cloud-accessible quantum hardware that exists today.
The Gap and the Rate of Change
Bitcoin uses 256-bit elliptic curve keys. Lelli broke a 15-bit key. The distance between those two numbers is not linear. It is exponential. Breaking a 256-bit key requires solving a problem that is astronomically larger than a 15-bit key, not just 17 times larger but orders of magnitude beyond current capability.
That context matters. Nobody is draining Bitcoin wallets tomorrow. Or next year. Or probably this decade.
But the rate of change is the number that should get attention.
In September 2025 the public record was 6 bits. In April 2026 it is 15 bits. A 512x improvement in seven months. Theoretical resource estimates have dropped even faster. As we covered when Google published its quantum paper in March, Google’s research team put the requirement for a full 256-bit attack below 500,000 physical qubits, down from earlier estimates in the millions. A subsequent paper from Caltech and Oratomic brought that figure as low as 10,000 qubits using a neutral-atom architecture.
The practical record and the theoretical estimates are both moving in the same direction simultaneously. That is the signal worth watching. Not the absolute numbers today but the trajectory those numbers are on.
Project Eleven CEO Alex Pruden framed it directly. “The distance from 15 bits to 256 bits is large, but the gap is increasingly viewed as an engineering problem and not a fundamental physics problem.”
Engineering problems get solved. Physics problems sometimes do not.
The 6.9 Million Bitcoin Problem
The threat is not evenly distributed across Bitcoin holders. Most modern wallets using best practices are not immediately at risk even in a future where quantum attacks become feasible, because they use address types that do not expose public keys until the moment of spending.
The concentrated risk sits in a specific category of address. Wallets where the public key is already visible on-chain. This happens when addresses are reused, when funds remain in Pay-to-Public-Key outputs from Bitcoin’s early years, or when specific wallet types expose the public key before spending.
Project Eleven estimates roughly 6.9 million Bitcoin sit in wallets with exposed public keys, approximately one-third of total supply. That pool includes Satoshi Nakamoto’s estimated 1 million Bitcoin which has not moved since the network’s earliest years. Any quantum computer capable of breaking 256-bit ECC could work through those addresses systematically.
The migration path exists. Bitcoin developers have proposed BIP-360, which would introduce quantum-resistant address types. BIP-361 would phase out older vulnerable formats and freeze tokens that fail to migrate before a defined deadline. Ethereum, Tron, StarkWare, and Ripple have each published post-quantum transition plans.
The challenge is coordination and urgency. Migration requires the Bitcoin community to agree on a timeline, activate the upgrade, and persuade millions of holders to move funds to new address types before quantum capability reaches the threshold where 256-bit keys become breakable. That process takes years. The engineering progress on the quantum side is not waiting for the governance process on the Bitcoin side.
The Part That Should Change Your Behavior Today
Bernstein research recently called quantum computing a medium to long-term upgrade cycle rather than an immediate risk. That framing is accurate for the general threat. It is not accurate for everyone equally.
If you hold Bitcoin in old addresses that have sent transactions and therefore exposed their public keys, you are in the category that faces increasing risk as the timeline compresses. Moving funds to a modern address type using current best practices is not a panic response. It is basic hygiene that is already appropriate regardless of quantum timelines.
If you are a developer building on Bitcoin or Ethereum, the BIP-360 proposal and its equivalents are worth understanding now rather than when the urgency becomes unavoidable.
If you are neither of those things and you hold Bitcoin in a modern wallet you have not reused, yesterday’s result changes nothing about your near-term risk profile. The 256-bit gap remains enormous. The rate of progress compressing that gap is faster than most people expected seven months ago.
Lelli broke a 15-bit key on a laptop budget and walked away with 1 Bitcoin. The cryptographic distance to 256 bits is still vast. The direction of travel is not ambiguous.
