Polished
Smart text rewriter for Mac
Press a shortcut anywhere on your Mac, get 3 polished versions instantly. Translates into 20 languages, fixes grammar, and keeps your voice.
₿BTC Puzzle
The ~1000 BTC Bitcoin Challenge
A canary in the coal mine for quantum threats to Bitcoin
In 2015, an anonymous user created 160 Bitcoin addresses with private keys hidden in progressively larger ranges.
On this site you can explore the puzzle, estimate its difficulty on your own hardware, and even try brute-forcing the easy ones right in your browser.
Read FAQ ↓What is the Bitcoin Puzzle?
Every Bitcoin wallet is protected by a private key, just a number in the range from 1 to 2256(a number with 77 digits). The wallet address is derived from the private key through a one-way function (elliptic curve multiplication + hashing), easy to compute forward, but impossible to reverse. Anyone who knows the private key can calculate the address and has full access to the wallet's balance. The security of Bitcoin relies on the fact that the key range is so astronomically large that guessing it by brute force is practically impossible. The total number of possible keys is 2256 ≈ 1.16×1077. The estimated number of atoms in the observable universe is ~1080, so there are only about 1,000× more atoms in the entire universe than possible Bitcoin keys.
In 2015, an anonymous user created 160 puzzle addresses to demonstrate just how secure Bitcoin is. Each puzzle restricts the private key to a progressively larger range: puzzle #1 has the key between 1 and 2, puzzle #2 between 2 and 4, all the way up to puzzle #160 where the key is between 2159 and 2160. A total of ~1000 BTCwas distributed across these addresses.
The early puzzles (up to ~70 bits) can be solved by brute force on modern hardware. Run the benchmark below to see how long each puzzle would take on your machine.
This puzzle is a vivid proof that Bitcoin's cryptography is unbreakable by brute force, even with all the computing power on Earth combined.
However, quantum computers will change everything. Several unsolved puzzles already have their public keys exposed, and these bitcoins are unclaimed bounties, deliberately placed to be found. A researcher with a quantum computer is far more likely to start here than to steal from personal wallets. If #135, #140 and beyond are solved one after another within days or weeks, that is an unmistakable sign that quantum computing has arrived, and regular Bitcoin should brace for impact. Read why Bitcoin Puzzle is a quantum canary ↓
Browser Benchmark
How fast is your computer? (CPU only, no GPU)
Total Puzzles
160
Solved
0
Unsolved
160
BTC Price
-
| Bits | Address | Private Key | Balance | Range | Your PC | Quantum ⚛ | Status | Action |
|---|---|---|---|---|---|---|---|---|
| Loading puzzles... | ||||||||
⚛ instant = public key is known, Shor's algorithm breaks it with ~500K qubits. Applies to all solved puzzles and unsolved #135, #140, #145, #150, #155, #160.
⚛ seconds/minutes/days/months/years/infeasible = public key unknown, Grover's quantum brute force (qualitative estimate, hover for details).
⚛ seconds/minutes/days/months/years/infeasible = public key unknown, Grover's quantum brute force (qualitative estimate, hover for details).
FAQ
What if I actually find a key on this site?
The chances are astronomically small, but mathematically it can happen. If the random search on this page lands on the right key, here is what you should do:
- Save the key immediately. Copy the WIF key displayed on screen and store it securely offline.
- Import into Electrum. Open Electrum Wallet, go to File → New/Restore → Import Bitcoin addresses or private keys, and paste the WIF key.
- Do NOT broadcast a regular transaction. This is critical, especially for puzzles #71 and possibly #72, where the key range is narrow enough for a fast attack. When you broadcast a transaction, your public key is revealed in the mempool before the block is confirmed. Attackers running Pollard's kangaroo algorithm (a mathematical method that exploits the public key) can use the public key to drastically narrow the search space and find your private key in minutes, far less than the ~10 minutes needed to confirm a block. They will replace your transaction with their own and steal the funds.
This is not theoretical. On April 30, 2025, puzzle #69 was solved by bc1qlp0z45...awxctah. The finder broadcast a regular transaction instead of using MARA Slipstream. Within minutes, bots extracted the public key from the mempool, computed the private key via the kangaroo method, and started replacing the transaction. Multiple bots outbid each other, and ultimately the prize of 6.888 BTC was stolen by 15g7XHM6...GPHXZ. Don't let this happen to you. - Use MARA Slipstream. Create and sign the transaction in Electrum, but instead of broadcasting it, copy the raw signed transaction and submit it directly to a miner via MARA Slipstream. This bypasses the public mempool, so your public key is never exposed before confirmation.
Why are puzzles #1–70 solved but #71+ not yet?
The difficulty doubles with every puzzle number, meaning each next puzzle takes twice as long to brute force. Puzzle #70 has a key space of 270 (~1.2 sextillion keys). Modern GPUs can search billions of keys per second, making puzzles up to ~70 bits feasible within weeks or months on clusters consuming several megawatts of power. But puzzle #71 has twice the range, #72 has four times, and so on. By puzzle #80, the brute force time already exceeds thousands of years even on the fastest hardware. That said, hardware keeps improving, so puzzles #71–74 may eventually fall to brute force on conventional GPU farms.
Then how were puzzles #75, #80, #85, ... #130 solved?
These puzzles (every 5th starting from #75) were solved not by brute force, but using Pollard's kangaroo algorithm, a mathematical method that exploits the public key to find the private key much faster than brute force.
When someone spends Bitcoin from an address, the public key is revealed on the blockchain. For these puzzles, the creator intentionally moved small amounts to expose the public keys, effectively challenging the community to test the limits of the kangaroo algorithm. Once the public key is known, the kangaroo algorithm reduces the search from O(2n) to O(2n/2), the square root of the range. For puzzle #130, this means searching ~265 instead of 2130. According to the author of the popular Kangaroo solver, puzzle #130 was estimated to take several years on 256 Tesla V100 GPUs. It was eventually solved in September 2024, likely by a modified approach or a large distributed effort. For higher puzzles like #135 (267.5 operations), the compute time and GPU coordination requirements grow even further.
You can see which unsolved puzzles have known public keys in the table (#135, #140, #145, #150, #155, #160), these are the next targets for kangaroo solvers or quantum computers.
Are modern Bitcoin address formats safe from quantum attacks?
No. This is a common misconception. All current Bitcoin address formats are vulnerable to quantum attacks once the public key is exposed:
- Legacy (P2PKH): public key revealed when you send a transaction
- SegWit (P2WPKH): same, public key revealed in witness data when spending
- Taproot (P2TR): the public key is embedded directly in the address, exposed from the moment you receive funds. This is actually the most vulnerable format
For non-Taproot addresses, the only way to keep your public key hidden and your Bitcoin safe from quantum threats is to never spend from the address. If you do need to send a transaction, make sure to move all remaining funds to a fresh, unused address in the same transaction, so no Bitcoin is left on an address with an exposed public key. For Taproot, there is no protection at all: you should not even receive Bitcoin to a Taproot address if you are concerned about quantum threats, because the public key is exposed the moment the address appears on the blockchain.
Post-quantum cryptography has not yet been integrated into Bitcoin. Until it is, no address format offers true quantum resistance.
Can I speed up the search?
The browser-based search on this page is intentionally simple: it uses JavaScript and is limited to your CPU. Specialized tools like BitCrack, Kangaroo, or KeyHunt can leverage powerful GPUs (NVIDIA CUDA / AMD OpenCL) to search roughly ~1,000× faster than what you see in the browser benchmark.
For example, a single RTX 4090 can test ~1.5 billion keys per second for brute force. Even so, puzzle #71 would take ~25,000 years on a single card. A farm of 1,000 GPUs could bring that down to ~25 years, and even larger clusters could potentially solve it in months. But puzzles above ~75 bits remain out of reach for brute force even with massive farms: the math simply doesn't allow it. The kangaroo algorithm with known public keys is the only realistic approach for higher puzzles.
There is also an economic problem: starting from puzzle #71, the GPU rental cost required for brute force at current hardware generation would likely exceed the reward in Bitcoin at current prices. The puzzle reward would need to be worth significantly more (or hardware would need to be significantly faster) for brute force to become profitable.
What is a "canary in the coal mine"?
In the 19th and 20th centuries, coal miners brought canaries into the tunnels as an early warning system. The birds were far more sensitive to toxic gases like carbon monoxide than humans. If the canary stopped singing or died, miners knew to evacuate immediately, even before they could detect any danger themselves.
The Bitcoin Puzzle serves the same purpose for quantum computing threats. With Shor's algorithm, the puzzles are no harder to crack than any other Bitcoin address with a known public key. But unlike personal wallets, the puzzle coins are unclaimed bounties, the most obvious and ethical first target for anyone with a quantum computer. If puzzles #135, #140, #145 and beyond are all solved within days, weeks, or months of each other, that would be the canary's silence, a clear signal that a quantum computer powerful enough to threaten all of Bitcoin's cryptography has arrived.
Can quantum computers break this?
Yes, and possibly sooner than expected. In March 2026, Google Quantum AI published a whitepaper showing that breaking elliptic curve cryptography (which protects Bitcoin) could require fewer than 500,000 physical qubits, a ~20× reduction from prior estimates of millions. The Bitcoin Puzzle is vulnerable to quantum attack in two distinct ways:
1. Shor's algorithm (known public key). Puzzles with exposed public keys (#135, #140, #145, #150, #155, #160 and all solved puzzles that had spending transactions) can be broken instantly by Shor's algorithm. It computes the private key directly from the public key, no brute force needed. These puzzles are marked as instant ⚛ in the Quantum column. This threat extends far beyond the puzzle: any Bitcoin address with an exposed public key is equally vulnerable. This includes every address that has ever sent at least one transaction (the public key is revealed in the spending input) and every Taproot (P2TR) address, where the public key is embedded in the address itself from the moment it receives funds. According to Deloitte's research, over 4 million BTC (~25% of all mined Bitcoin) sit in addresses with exposed public keys, vulnerable to Shor's algorithm the moment a sufficiently powerful quantum computer exists.
2. Grover's algorithm (all unsolved puzzles). Even without a known public key, every puzzle has a much narrower key range than a standard Bitcoin address (2160 vs 2256). Grover's algorithm provides a quadratic speedup, effectively halving the bit length. So puzzle #160 (160-bit range) becomes a 80-bit search, and puzzle #80 becomes just 40 bits, easily solvable. For a regular Bitcoin address where the public key was never exposed (never sent a transaction, or uses a modern address format), Grover's would need 2128 operations. At ~1 billion quantum ops/sec, that is ~1022 years, trillions of trillions of years, still completely infeasible even for quantum computers. The puzzles are up to 2176 times easier to crack than such an address.
For Shor's attack, the number of qubits and computation time depend on the elliptic curve (secp256k1 = 256 bits), not the key range. Puzzles need the same ~500,000 physical qubits and the same time as cracking any regular Bitcoin address. The key range simply does not matter for Shor's algorithm.
For Grover's attack, the puzzles actually need fewer qubits since the search register scales with the key range, not the curve size. Most of the qubits still go to the oracle circuit (computing the address from a key), but a less powerful quantum machine that can't yet run full Shor's on 256-bit keys might still be able to brute-force smaller puzzles via Grover.
A quantum computer with Shor's algorithm breaks anyexposed public key equally fast, whether it's a puzzle address or a regular wallet. The puzzles are no more vulnerable than any other address with a known public key. However, these bitcoins are essentially unclaimed bounties, deliberately placed to be found. A researcher who gains access to a powerful quantum computer is far more likely to test it on the puzzle (a legal, victimless prize) than to steal from someone's personal wallet. This makes the Bitcoin Puzzle the first real-world canary for quantum cryptographic breakthroughs: not because it's easier to crack, but because it's the most obvious and ethical target.
All it takes is one researcher with access to a sufficiently capable quantum computer to notice this puzzle. If all remaining puzzles are suddenly solved in a short period, you can be certain: a quantum computer did it. Given Google's latest findings, this will likely happen within just a few years.
Another sign to watch for: sudden movement of very old coins from long-dormant wallets within a short timeframe. Thousands of early Bitcoin addresses (2009–2012 era) used the P2PK format with public keys permanently exposed. If many of these ancient wallets start moving funds simultaneously, it likely means someone is using Shor's algorithm to sweep them at scale.
My Other Projects
Mining Pool Monitor
Bitcoin pool stats at a glance
Monitor hashrate and fees across Bitcoin mining pools directly from your macOS menu bar.
Sources
- Google Quantum AI – Whitepaper on breaking elliptic curve cryptography with fewer than 500K qubits (March 2026)
- Deloitte – Analysis of Bitcoin vulnerability to quantum attacks: ~4M BTC (25%) at risk
- Pollard's kangaroo algorithm – Method used to solve puzzles #75–#130 with known public keys (O(2n/2) vs O(2n)). GPU implementation by JeanLucPons
- Shor's algorithm – Quantum algorithm that breaks elliptic curve cryptography in polynomial time given a public key
- Grover's algorithm – Quantum search algorithm providing quadratic speedup for brute force (N → √N)
- mempool.space – Real-time Bitcoin address balances
- CoinGecko – BTC/USD price data