Bulletin #11 | From Whales to Quantum Waves

Welcome,

It’s been another busy week at Project Eleven. We published two new blog posts: one on generating multiple post-quantum keypairs from a single 24-word seed phrase, and another on guaranteeing post-quantum encryption between a browser and server. The first post shows how our tool yellowpages can derive multiple quantum-safe keys (using NIST’s newly standardized ML-DSA and SLH-DSA algorithms) from the same 24-word BIP-39 seed phrase crypto users already know and trust. The second post details how we ensure all data between your browser and our servers is protected with post-quantum encryption by layering a hybrid ML-KEM key exchange over standard TLS. Now, let’s dive into the highlights of the week.

Late last week, several long-dormant Bitcoin “whale” wallets suddenly stirred, moving over 20,000 BTC (over $2 billion) to new addresses. These wallets received their coins back in April 2011, when bitcoin was worth less than $1. After 14 years of inactivity, their owner (who has seen a 140,000x return on the BTC’s value) chose to transfer the funds, and notably, they did not send them to an exchange for sale. Whenever ancient wallets wake up, rumors fly. Was it a lost key recovered? A hacker at work? In this case, all signs point to the legitimate owner taking action. We checked and found no evidence that the keys were vulnerable to any quantum attack, the public keys hadn’t ever been exposed on-chain (or even on forks like Bitcoin Cash), so a quantum thief would have had nothing to target. In short, this does not appear to be a quantum attack, and the coins remain safe under the whale’s control.

That said, the episode offers a glimpse of what a quantum attack on Bitcoin might look like. In our reseach at Project Eleven, we’ve warned that the first hints of a cryptographically relevant quantum computer (CRQC) operating in the wild won’t come with an announcement or flashy proof-of-concept, they’ll come as a trickle of strange on-chain events. Imagine a “Q-day” scenario: suddenly, a series of old, high-value BTC addresses (possibly even Satoshi-era wallets) start being drained, one by one. Everything about the transactions looks valid, because a quantum attacker can produce a perfectly legitimate signature, so at first, people assume the owner must have decided to move funds. Exchanges might suspect internal issues; individuals will wonder if they got hacked or phished. Only after repeated incidents, or an unmistakable event like Satoshi’s coins moving, will the community realize a quantum breach is underway. By then, billions in crypto could vanish without recourse. We explored this stealthy threat in our “Quantum Wargames” article, describing how a quantum adversary would quietly exploit exposed public keys to steal coins while avoiding detection:

“The goal won’t be to move billions all at once—it will be to move quietly. A state actor might even simulate more conventional causes: a key compromise, a sophisticated malware exploit, a rogue insider. A company might launch an internal effort to slowly “recover” lost Bitcoin, avoiding detection. The network will have no native mechanism to distinguish legitimate owners from quantum adversaries.”

Likewise, our “Quantum Earthquakes” post discussed the dilemma of dormant BTC: should the community somehow upgrade or isolate old addresses now, or leave them as prey for future “quantum scavengers” once Q-day hits? 

“Unfortunately, this problem is a lot like building a city atop a fault line before you understand the science of earthquakes. Build the city with the information you have available. If someone pitched you on rebuilding your San Francisco home's foundations in case of an earthquake in 1907 you wouldn’t think the hassle was worth it. Only after the event occurs do humans take action. This is one of those moments and we do not have time to waste.”

This week’s whale movements were legitimate, but they serve as a timely reminder: if a real quantum attack came, it might look exactly the same on the surface, large wallets emptied in moments, only with malicious intent behind the scenes.

In our previous bulletin, we highlighted the quantum risks facing stablecoins like USDC. This week, we took that further. In a new two-part blog series, we explain how stablecoins work and where their vulnerabilities lie, and then perform a deep dive analysis on the USDC smart contract running on Ethereum. These digital dollars are governed by smart contracts, immutable code on blockchains like Ethereum, and controlled by a handful of privileged admin keys. If even one of those keys is compromised, the entire system can be manipulated: new tokens minted, wallets frozen, contracts paused or replaced. With classical cryptography, those keys are secure. But quantum computers running Shor’s algorithm could change that fast.

For a deeper dive into these issues, check out our full blog posts Vulnerabilities of Stablecoins to Quantum Attacks and Quantum vs. USDC: A Threat Analysis of Circle’s Smart-Contract. The first post explains how stablecoins and their contracts work (and where the vulnerabilities lie), and the second shows how USDC’s admin structure could be abused by a quantum-powered attacker. 

Quantum algorithms are advancing quickly, and we still don’t know the full extent of the problems they might one day solve. The recently proposed fixed-point quantum continuous search algorithm marks a significant leap in quantum computing’s problem-solving scope. Developed by researchers in China, it extends Grover’s famous quadratic speedup to continuous domains, meaning quantum computers can now search through uncountably infinite solution spaces much faster than classical methods. The team not only proved a quadratic speedup for continuous optimization tasks, but also established a theoretical lower bound showing the approach is optimal in query efficiency. In short, this breakthrough broadens the types of problems quantum computers can tackle, moving beyond factoring integers or unstructured search space problems into challenges like continuous optimization. Such progress signals that quantum algorithms are steadily encroaching on more complex real-world problems, a development with both exciting and sobering implications.

The rise of quantum algorithms with broadening capabilities underscores the urgent need for post-quantum (PQ) cryptography on blockchains and elsewhere. However, it also shows the need to avoid cryptographic ossification. Industry and governments have already begun planning the transition: for example, NIST has standardized new PQ digital signature and encryption algorithms, and some blockchain projects are exploring or even implementing PQ algorithms (like lattice-based signatures) to future-proof their protocols. The recent continuous quantum search breakthrough serves as a reminder that quantum threat preparedness is a moving target, it’s not enough to guard only against Shor’s and Grover’s algorithms. We must assume that more quantum advances are coming. By adopting PQ cryptography early and updating security practices, blockchains can mitigate the risk of quantum-equipped adversaries. Keeping one step ahead with robust post-quantum defenses will be key to ensuring that cryptocurrencies and digital assets remain secure in the quantum era.

• Scientists Just Simulated the “Impossible” in Quantum Computing – Scientists have discovered a way for ordinary computers to mimic a kind of error-corrected quantum calculation that experts once thought couldn’t be simulated at all. This breakthrough, led by researchers at Sweden’s Chalmers University, should make it much easier to design and test more reliable quantum machines.
• BlackRock's Bitcoin ETF Filing Warns of Quantum Computing Threat – BlackRock’s ETF prospectus flags a coming “Q-Day,” when quantum computers could crack Bitcoin and Ethereum’s encryption, and analysts say about 4 million BTC plus much of ETH would be at risk unless the networks adopt post-quantum cryptography.
• SEALSQ Begins Deployment of Quantum-Resistant eUICC Technology – Swiss firm SEALSQ is rolling out a GSMA-approved embedded SIM that uses post-quantum cryptography to secure phones, IoT devices and even low-orbit satellites. Mobile operators are already integrating the solution, protected by SEALSQ’s Swiss root certificate authority.
• Samsung One UI 8 Brings Quantum-Resistant Security With Galaxy Z Fold 7 and Flip 7 – The new One UI 8 firmware adds post-quantum encryption to Secure Wi-Fi and upgrades Knox protections, giving Samsung’s next foldables built-in defences against future quantum hacks. Additional features like KEEP storage and improved Knox Matrix further lock down personal data. 
• Embracing SPHINCS+: A Strategic Shift for QRL Project Zond – QRL is replacing its state-management-heavy XMSS signatures with NIST-approved, stateless SPHINCS+, removing the risk of one-time-signature reuse and simplifying smart-contract development. The change keeps Project Zond’s release schedule intact while delivering stronger, enterprise-grade post-quantum security—even if it means slightly larger signatures and modest extra computation
  

Until next time,

The Project Eleven Team
[email protected]