Huh, That’s Cool

Nobody Can Steal Satoshi's Bitcoin

Satoshi's million bitcoin sit in plain sight, behind a lock anyone may pick — for free, millions of tries a second, with no guard. Against any computer we could build, it is the safest fortune that has ever existed, and the reason is just a number, bigger than the universe can count to. (There's exactly one asterisk, and we'll get to it honestly.)

Somewhere on the Bitcoin blockchain, in public, readable by anyone, sit roughly a million coins that have not moved in fifteen years. They belonged to Satoshi Nakamoto, Bitcoin's vanished inventor, and at today's prices they're worth north of sixty billion dollars.1 2 3

Here is the strange part. There is no bank around them. No vault door, no guard, no alarm. The address is public. The rules of the system let anyone — you, right now, on the laptop you're reading this on — try to unlock them. You can try for free. You can try as fast as your computer will go. You can try forever, and no one will stop you, or slow you down, or even know you're trying.

So this really is, as people love to say, a safety-deposit box that anybody can attempt to crack, millions of times a second. The money is right there.

And yet it's still there. Nobody has taken it. Not in fifteen years, with the whole world watching and the prize growing into the billions. This is the story of why — a story that turns out to be less about money than about a number so large it breaks your sense of "large," and about the one honest crack in the wall that the number can't cover.

Part 1The lock is 256 coin-flips

To spend those coins, you need their private key. And a Bitcoin private key is almost insultingly simple: it's just a 256-bit number. Flip a coin 256 times, write down heads-or-tails as ones and zeros, and you have a key. Somewhere in that space of all possible 256-flip sequences is the one that opens Satoshi's address.

A heavy vault standing wide open with money plainly visible inside, beside a giant keypad reading “2²⁵⁶ possible keys — one is the right one”; a figure shrugs, “anyone can try — free, forever, millions of guesses a second.”
The money is right there, and anyone may try the lock. So why is it still there?

That's the whole secret. The address is public and easy to check: given a key, your computer can instantly work out which address it controls, and see if it's the one holding the money. There's no password-attempt limit, because there's nothing central to limit it — you're not logging into a server, you're just checking math on your own machine. The only thing standing between you and the fortune is which of the possible keys is the right one.

(One wrinkle we'll need later. If an address has never been used, even its public key stays hidden, and the attacker must search that whole space. But Satoshi's earliest coins use an old format that left their public keys sitting in the open from the very first block — and that, it turns out, makes the wall around them a different, shorter wall than the one most coins enjoy. Hold that thought; it's where the whole story bends.)

How many possible keys are there? Two to the 256th power.4 Written out, that's about 1 followed by 77 zeros.5 Which means nothing to you, because numbers that big mean nothing to anyone. So let's fix that, because it's the whole game.

Part 2How big is that, really?

Not "a lot." A different category of large.

A vertical scale: atoms in the observable universe (~10⁸⁰) at the top, then “every possible key (2²⁵⁶) ≈ 10⁷⁷” highlighted just below it, then a sheer drop to stars (~10²³) and grains of sand on Earth (~10¹⁹).
Not “a lot” — a different category of large. Nearly the atom-count of the whole universe.

Start with something already too big to picture: every grain of sand on every beach on Earth. That's about 1019 grains — a 1 with nineteen zeros.6 Now go bigger. Every star in the observable universe: about 1023, ten thousand times more than all that sand.6

Now keep going, past anything you can point at, all the way to the atoms. Every atom in every star in every galaxy in the entire observable universe comes to roughly 1080.5 And that — the count of every atom in existence — is finally in the same neighborhood as the number of possible Bitcoin keys. There are about 1077 keys: very nearly the number of atoms in the universe, only about a thousandfold fewer.5

Sit with that. The lock has roughly as many combinations as there are atoms in the sky. If you could somehow assign one key to every atom in a thousand universes, you'd just about have enough atoms to label them all.

“But the probability isn't zero. Someone could get lucky and guess it on the very first try.”

True — and it's worth being precise, because "not zero" is doing a lot of dishonest work in that sentence. The chance of hitting the right key on one random guess is about 1 in 1077. Here's a way to feel it: to match those odds, you would have to win a national lottery jackpot — a roughly 1-in-300-million shot — about nine times in a row. Buy a ticket for the next nine jackpots and hit all nine: that is one guess at the key. "Not impossible" and "possible" are not the same word. Past a certain point, a probability is so small that treating it as zero isn't a simplification; it's just accurate.

Part 3So people try. It doesn't matter.

You might think: fine, one laptop can't do it, but what about all the computers? People have built staggering machines to mine Bitcoin. Point all of them at guessing keys instead.

A row of data centers labeled “the entire Bitcoin network — ~10²¹ tries every second,” beside a totally empty progress bar marked “guessing since the Big Bang… 0.000 000 … 0 % complete.”
Every computer on the network, since the Big Bang, checks fewer than 1 in 10³⁸ of the keys.

So let's be absurdly generous to the attacker. The entire Bitcoin mining network runs at something like 1021 operations per second — not "millions a second," a billion trillion a second, far more than any real key-cracking could manage.7 Now run that for the whole age of the universe: every computer on the network, going since the Big Bang, 13.8 billion years.

After all of that, you would have checked fewer than 1 in 1038 of the possible keys.7 Not 1%. Not a millionth of a percent. A number with thirty-seven zeros after the decimal before you reach a non-zero digit. You run out of universe long, long before you run out of keys.

And here's the part that closes the door for good — the reason this isn't merely hard but impossible. Forget computing for a second. Forget cleverness. Just imagine a counter, and the simplest possible task: tick it up by one, 2256 times. Not check a key, not do any math — just count.

A billion Suns being annihilated entirely (E = mc²), an arrow labeled “barely powers,” and a battery captioned “a counter, ticking up by one, 2²⁵⁶ times — just to COUNT, not even compute.” A red note: “physics, not patience.”
Merely counting to 2²⁵⁶ would burn a billion Suns. The wall is thermodynamics, not engineering.

There's a law of physics — Landauer's limit — that sets the minimum energy to flip a single bit, even with perfect, lossless, far-future hardware.8 Multiply that floor by 2256, and the energy required just to count that high comes to more than you would get by taking well over a billion Suns and converting every atom of them entirely into energy.8 Not powering them — annihilating them, E = mc2, and pouring all of it into a counter.

That's the wall. It isn't that nobody has built a fast enough computer yet. It's that there isn't enough usable energy in a billion stars to run the counter to the end. The security isn't engineering. It's thermodynamics.

One honest caveat, and it's the hinge of this whole essay: that billion-Suns wall is the wall around a fresh key — one whose public key is still hidden. Satoshi's coins, with their public keys exposed since the first block, sit behind a shorter wall. Still far, far out of reach of any machine that could ever be built, as we're about to see — but not this cosmic one. Keep that difference in your pocket; Part 5 is where it comes due.

“This is a sleight of hand. A Bitcoin address is only a 160-bit hash, and for coins that have ever been spent the real security is just 128 bits, not 256. You're inflating the number.”

A fair and sharp objection — and exactly the wrinkle from Part 1, come due. The honest answer is that there are three walls, not one.4 If an address has never been used, an attacker has to guess the full key — that's the 2256 wall above. The address itself is a 160-bit fingerprint of the key, so finding any key that fits it is "only" a 2160 problem — still about 1048, still hopeless. And if the public key is known — which for most addresses happens the moment you spend from them, and which for Satoshi's old-format coins has been true since the block they were mined in — there's a shortcut called Pollard's rho that cracks it in about 2128 steps instead.4 So yes: the honest floor for Satoshi's exposed coins is 128 bits, not 256.

Now, a careful reader catches something alarming here. 2128 is about 1038 — and that's roughly the same 1038 we just got for the entire network grinding since the Big Bang. Have we accidentally shown the coins are crackable? No — and the reason matters. Those 1038 were SHA hashes, the blazing-fast operation mining chips are built for. An actual elliptic-curve key-crack is a different, far heavier computation — at least ten billion times slower per step.9 Redo the "since the Big Bang" sum in real elliptic-curve operations and you reach only about 1028 — still ten orders of magnitude short of 2128. So the exposed-key wall isn't cosmic like the 2256 one; it's "merely" that no classical machine that could ever be built finishes in any span of time that means anything. (All of this also leans on a decades-old, unproven conjecture: that no one ever finds a fast classical shortcut for the elliptic-curve problem. None is in sight — but, like all of public-key cryptography, it's an assumption, not a theorem.) A smaller wall. Still a wall. Hold onto that 128-bit number, though — it's where the one real danger lives.

Part 4So how is crypto stolen? Around the lock.

Because crypto obviously does get stolen. Billions of dollars of it, in headline after headline. If the lock is so perfect, what's going on?

A pristine vault labeled “the lock: never once picked, in 15 years, with billions inside,” while a smug thief strolls through a wide-open dashed “side door” past labels: phishing, malware that swaps the address, exchanges that lose your keys, keys that weren't truly random.
Every famous theft walked in a side door. None broke the math. The randomness is the product.

Here's the thing every big theft has in common: not one of them broke the lock. They all walked in a side door.

Mt. Gox, which lost something like 650,000 to 850,000 bitcoin in 2014, wasn't cracked — it was an exchange that held everyone's keys for them and lost control of them, through mismanagement and a transaction bug, over years.10 The exchange hacks, the drained wallets, the SIM-swaps: phishing emails, malware that silently swaps the address you paste, a support rep tricked into moving your phone number, a company that kept your keys on a server someone broke into. The math was never touched. The humans and the software around it were.

And there's one cheap door that looks like cracking but isn't: bad randomness. If a key wasn't 256 honest coin-flips — if it came from a weak random-number generator, or from a "brainwallet" passphrase someone could remember — then it doesn't live in that vast space of 1077 at all. It lives in a tiny human-sized corner of maybe 1015 possibilities, and that corner gets swept clean in seconds. One researcher emptied about nine hundred such wallets with a laptop.11 The math can even be undone one layer up: every signature needs its own fresh random number too, and if a wallet ever reuses or botches that, the private key falls straight out of two signatures by schoolbook algebra — which is precisely how some early thefts worked.11

So the lesson isn't that the lock is weak. It's that the randomness is the product. A key is only as strong as it is unguessable, and the only way to make it that strong is to make it truly, boringly random — and then never hand it, or the keys to it, to anyone who can lose them. And that perfection cuts both ways: the lock no attacker can pick is just as merciless to an owner who loses the key. More bitcoin has been lost forever to forgotten passphrases and dead hard drives than to every thief combined — and whether Satoshi's billions are kept or simply lost is a question no one can answer.

Part 5The one real asterisk

There is exactly one way the wall genuinely cracks, and honesty demands we walk straight into it.

Three panels: a greyed-out server with a skull (“brute force: still hopeless”); an atom (“a quantum computer doesn't guess — it solves: Shor's algorithm computes the key from a public key left in the open”); a red vault (“Satoshi's keys are exposed — and never move. The bullseye.”).
The one honest crack: a quantum computer wouldn't guess — it would solve an exposed key.

A quantum computer would not guess faster. That's the common misconception. It would do something different in kind: it would solve. There's an algorithm — Shor's — that, on a big enough quantum machine, computes a private key directly from a public key, not by trying possibilities but by taking a mathematical shortcut through them.12 It turns that 2128 wall from "no computer could finish in the life of the Sun" into something a sufficiently large quantum computer could do in hours.

Crucially, it only works when the public key is exposed. For an address you've never spent from, the public key is still hidden behind that 160-bit hash, and Shor has nothing to grab onto. (There's a separate quantum trick, Grover's algorithm, but it only speeds up blind search — the kind you'd aim at a hidden address hash — and only by halving the exponent, turning a 2160 hunt into 280, still out of reach. It's Shor, not Grover, that threatens the elliptic-curve key, and Shor doesn't halve the problem — it dissolves it.12)

And here is why Satoshi, specifically, is the bullseye. Satoshi's earliest coins are stored in an old format that puts the public key right there on the blockchain, in the open, for everyone to see.4 Most people can defend themselves the day quantum gets close: just move your coins to a fresh address, and the public key goes back into hiding. But Satoshi has not touched these coins in fifteen years and, as far as anyone knows, never will. The keys are exposed and frozen in place. That makes this the single most quantum-vulnerable pile of money on Earth.

“So quantum is going to take it. Or — no, quantum is hype that's been 'ten years away' for thirty years. Which is it?”

Neither, and the honest answer is the boring middle. No quantum computer that exists today is remotely close.

Two bars: “today's best — ~1,000 noisy qubits” (tiny) versus “what Shor needs — ~millions of error-corrected qubits” (vast, “bar not remotely to scale”). In green: “The fix already exists — move your coins to a fresh, quantum-safe address. Everyone can. Satoshi can't.”
Real, distant, uncertain — and the only one who can't move his coins is the one who vanished.

Breaking Bitcoin's curve with Shor's algorithm would take thousands of error-corrected qubits — which translates to something like one to thirteen million physical ones, with full error correction.13 The best machines today have on the order of a thousand physical qubits, noisy and uncorrected — a count that climbs every year, but against the millions of error-corrected ones Shor needs, the gap is still enormous, and the error correction is a kind of reliability nobody has yet built at scale.13 Surveys of the experts put a real threat somewhere in the 2030s to 2040s, with wide disagreement and a serious contingent saying never at that scale.14 Give it a range, not a date.

And the defense is already standardized — new "post-quantum" signature schemes finalized in 2024, which Bitcoin could adopt, plus the simple act of moving exposed coins to safety.14 There's even a collective version of that fix: Bitcoin has rewritten its own rules before (SegWit, Taproot), so the network could, in principle, agree to migrate or freeze the old exposed coins ahead of any quantum attacker — protecting Satoshi's fortune without Satoshi. It's a real option, with precedent. But it runs into two hard walls of its own: whether consensus could form in time, against an attacker who only has to succeed once; and whether a community that treats "not your keys, not your coins" as sacred could ever stomach freezing coins without their owner's key — even these.15 The point is: this is a real, distant, uncertain risk that the world has time to prepare for — and the only person who can't prepare is the one who vanished.

Still there

The vault again, untouched, money still inside, door still open, beside a clock and a “guess counter: 0.000…%” after fifteen years and the whole world watching.
Guarded by no walls and no men — only a number, and the only way in was never to guess it.

So the money sits there, in the open, behind a lock anyone may try and no one can pick. Not because it's hidden, or guarded, or defended by anything you could photograph. It's defended by a number — one specific sequence of 256 coin-flips, drawn from a pool as deep as the atoms in the sky.

That's the quiet miracle buried in all the crypto noise. We tend to think security is a thing you build — thicker walls, better guards, smarter alarms. Here it's something you count to, except no one can: a fresh key hides behind a wall of pure thermodynamics, and even Satoshi's exposed coins sit behind a number no machine we could ever build could finish solving. Against any computer that could exist, the safest fortune in history isn't protected by walls, or guns, or men.

It's protected by a number — and, for as long as the one machine that could finally solve it goes unbuilt, that is enough. The only way in was never to guess it.

Footnotes & receipts

  1. Satoshi's ~1 million BTC. The best estimate comes from Sergio Demian Lerner's "Patoshi" analysis (Bitslog, 2013 and 2019), which spotted a distinctive pattern in the earliest mined blocks suggesting a single miner accumulated on the order of 1.0–1.1 million BTC, almost all of it never spent. The attribution to Satoshi is probabilistic, not certain.
  2. "Vanished inventor." Satoshi Nakamoto stopped posting publicly in 2010–2011 and has never been conclusively identified. The coins attributed to that early miner have, with one or two disputed exceptions, never moved.
  3. "North of sixty billion dollars." At a Bitcoin price of roughly $63,000 (mid-June 2026), about 1.0–1.1 million BTC is worth roughly $65–70 billion. Bitcoin's price is highly volatile; this figure swings with it.
  4. Three security levels. A private key is effectively a 256-bit number (secp256k1's group order n ≈ 1.158×1077). Guessing a key for an unused address means searching ~2256; finding any key matching the address's 160-bit hash is ~2160; and once a public key is exposed (on a spent address, or on the old "pay-to-public-key" outputs Satoshi used), Pollard's rho solves the elliptic-curve discrete log in ~2128 steps. Sources: SEC 2 (secp256k1 parameters); Bitcoin Wiki, "Secp256k1"; standard ECC security analysis. Satoshi's early coinbase rewards are pay-to-public-key, so their public keys are visible on-chain.
  5. 2256 and atoms. 2256 ≈ 1.158×1077. Estimates of atoms in the observable universe cluster around 1080 (range ~1078–1082), from total baryonic mass divided by average atomic mass. So the keyspace (~1077) is roughly a thousandfold smaller than the atom count — "nearly as many," not "more." Sources: SEC 2; standard cosmology estimates (e.g., via Space.com / Tegmark).
  6. Sand and stars. Grains of sand on Earth's beaches ≈ 7.5×1018 (Univ. of Hawaii estimate, widely cited). Stars in the observable universe ≈ 1022–1024 (ESA/NASA; ~1011 galaxies × ~1011 stars). Both are order-of-magnitude figures.
  7. Guessing since the Big Bang. The Bitcoin network's hash rate is ~9.4×1020 hashes/second (~940 EH/s, mid-2025; BitInfoCharts). The universe is ~4.35×1017 seconds old (13.8 Gyr; Planck 2018). Their product is ~4.1×1038 operations — about 3.5×10-39 of 2256, i.e. fewer than 1 in 1038 of the keys. This is generous to the attacker: SHA-256 mining hashes are far faster than the elliptic-curve operations real key-cracking needs.
  8. The thermodynamic wall. Landauer's principle sets the minimum energy to irreversibly flip one bit at kT·ln2 ≈ 2.75×10-21 J at room temperature (Landauer, IBM J. Res. Dev., 1961). Counting through 2256 states therefore needs ≥ ~3.2×1056 J. The Sun's entire mass-energy (E=mc2) is ~1.8×1047 J, so this is ~1.8 billion Suns' worth of total mass-energy — at perfect efficiency, merely to count. Bruce Schneier made this argument for 2192 in Applied Cryptography (1996); 2256 is far more extreme.
  9. Why 2128 is a smaller wall. Counting through 2128 states at the Landauer limit is only ~9×1017 J — a civilization-scale amount of energy, not a cosmic one. So the "more energy than the universe" argument is specific to the full 2256 keyspace; the 2128 exposed-key case is infeasible for a different reason: no classical machine is remotely fast or long-lived enough to run Pollard's rho that far. The arithmetic coincidence that the whole network's lifetime output (~4×1038 operations) is near 2128 (~3.4×1038) is misleading, because those were SHA-256 hashes; an actual secp256k1 point multiplication is on the order of ten billion (~1010) times more work per step, so the same since-the-Big-Bang budget in real elliptic-curve operations is closer to ~1028 — about ten orders of magnitude short of 2128. And the whole edifice assumes ECDLP has no undiscovered fast classical algorithm — a long-standing conjecture, not a theorem, as is true for all public-key cryptography. This is exactly why the quantum threat (Shor) matters only for exposed keys.
  10. Mt. Gox. ~850,000 BTC went missing (≈650,000 in net customer losses); the exchange halted withdrawals in February 2014 and filed for bankruptcy that month. The cause was key-management failure and exploitation of transaction malleability over time — not a brute-force attack on the cryptography. (Ars Technica, 2014.)
  11. Weak keys and brainwallets. Keys generated with broken randomness (e.g., the 2013 Android SecureRandom flaw) or derived from memorable passphrases ("brainwallets") occupy a search space of perhaps 1010–1020 candidates, not 1077. Ryan Castellucci demonstrated cracking ~900 brainwallets (~$103,000) at DEF CON 23 (2015). These exploit weak entropy, not weak cryptography. (Ars Technica, 2013 and 2016.)
  12. Shor and Grover. Shor's algorithm (P. Shor, SIAM J. Computing, 1997) solves the discrete-logarithm problem in polynomial time on a quantum computer, recovering a private key from an exposed public key. Grover's algorithm (1996) only gives a quadratic speedup for unstructured search — e.g. the 160-bit address hash, 2160 → 280, or a 256-bit key-guess, 2256 → 2128 — both still infeasible. So the quantum danger is Shor against exposed public keys, not Grover against hashes.
  13. Qubit estimates. Running Shor against a 256-bit elliptic curve needs ~2,330 logical (error-corrected) qubits (Roetteler et al., 2017), which translates to roughly 1–13 million physical qubits with full error correction (Webber et al., 2022). Today's largest processors — IBM Condor (1,121 physical qubits, 2023), Google Willow (105, 2024) — are noisy and not error-corrected. The gap is ~4 orders of magnitude plus fault tolerance.
  14. Timelines and the fix. Expert surveys (Mosca / Global Risk Institute, 2022) put a meaningful chance of a cryptographically-relevant quantum computer in the 2030s–2040s, with wide uncertainty and some experts saying it may never reach that scale. NIST finalized post-quantum cryptographic standards in August 2024 (FIPS 203 ML-KEM, 204 ML-DSA, 205 SLH-DSA). Individuals defend exposed coins simply by moving them to a fresh address.
  15. Freezing Satoshi's coins. Proposals like the draft BIP-360 would add quantum-resistant address types to Bitcoin and debate what to do with old exposed outputs — migrate them, freeze them after a deadline, or do nothing. Freezing coins without their owner's key cuts against Bitcoin's core promise of immutability, and there is no consensus. As of 2026 these remain unresolved proposals, not activated changes.