Most of the quantum-risk conversation in crypto has centered on Bitcoin: the dormant coins in exposed addresses, the eventual need to migrate signatures, the debate over frozen Satoshi-era wealth. But there is a quieter, faster-growing target that the industry has been slower to name. Stablecoins now settle trillions of dollars a year and hold hundreds of billions in reserves. That combination of scale, liquidity, and concentrated control makes them arguably the most tempting single prize a cryptographically relevant quantum computer could reach.
The reason is not that stablecoins are technically weaker than other tokens. It is that they sit at an unusual intersection of value and vulnerability. They inherit the same pre-quantum signature schemes as the chains they run on, they carry immense dollar-denominated balances, and they are governed by a small number of issuers whose freeze powers cut both ways. Understanding why stablecoins are such an attractive quantum target means looking at all three at once.
Why Value Concentration Attracts the First Attack
A quantum attacker will not have unlimited runway. The first cryptographically relevant quantum computers will be scarce, slow, expensive to operate, and almost certainly detectable once they begin breaking keys at scale. Whoever controls one will face a stark economic question: where do you point it first? Rational adversaries target the highest value per unit of effort, and stablecoins score unusually well on that metric.
Consider the raw numbers. The two largest dollar stablecoins alone account for well over 200 billion dollars in circulating supply, and total stablecoin capitalization has repeatedly pushed past 300 billion dollars. Unlike volatile assets, that value does not evaporate the moment an attack begins. A stolen dollar-pegged token is designed to remain worth a dollar. For an attacker, that stability is a feature: it removes the price-collapse risk that would accompany draining a thinly traded governance token.
The first quantum attacker will be resource-constrained and point their machine at the richest, most liquid target available. Stablecoins offer exactly that: enormous, dollar-stable balances secured by signatures the machine is built to break.
How a Quantum Attack on a Stablecoin Actually Works
The threat is not that a quantum computer somehow prints fake tokens. It is that it can derive a private key from information already visible on the public ledger. Most stablecoins ride on chains that use elliptic-curve signatures such as ECDSA on Bitcoin-style systems or the secp256k1 and Ed25519 schemes common across EVM and other networks. These signatures are secure today because deriving a private key from a public key requires solving the elliptic-curve discrete logarithm problem, which classical computers cannot do in any practical timeframe.
Shor’s algorithm changes that. Running on a sufficiently large, error-corrected quantum computer, it can solve the discrete logarithm problem efficiently. Once an attacker recovers the private key controlling an address, they control everything that address holds, including its stablecoin balance. From the chain’s perspective, the fraudulent transfer is perfectly valid. It carries a correct signature. Nothing about it looks like theft until the funds are already gone.
The exposure window matters. On many networks, a public key becomes visible the moment an address transacts. High-value stablecoin wallets, exchange hot wallets, market-maker addresses, and treasury accounts transact constantly and hold large balances between transactions. They are, in effect, standing targets: their public keys are known, their balances are large, and they cannot simply go dormant the way a long-term Bitcoin holder can.
The Reserve Problem Sits Off-Chain
There is a second layer to the stablecoin threat that pure token attacks do not have. Fiat-backed stablecoins are promises: each token represents a claim on reserves held by the issuer, typically in cash, short-term Treasuries, and equivalents. Those reserves are managed through traditional financial infrastructure, which is also racing to migrate away from quantum-vulnerable cryptography.
This creates a two-front exposure. On-chain, the tokens themselves depend on pre-quantum signatures. Off-chain, the banking, custody, and settlement systems that hold the backing assets depend on TLS, RSA, and elliptic-curve cryptography that face the same eventual threat. A stablecoin is only as trustworthy as the weaker of those two layers. A quantum adversary does not need to break both; compromising either the token supply or the reserve infrastructure is enough to break the peg’s credibility.
- Token layer: balances secured by elliptic-curve signatures that Shor’s algorithm targets directly.
- Reserve layer: custody and settlement systems secured by classical public-key cryptography undergoing their own slow migration.
- Trust layer: a peg that only holds while the market believes both of the above are sound.
The Freeze Paradox: Centralized Control Cuts Both Ways
Here is where stablecoins diverge sharply from Bitcoin. Major fiat-backed issuers can freeze and blacklist addresses at the contract level. In the aftermath of a quantum attack, that power looks like salvation: an issuer could freeze stolen balances, refuse to honor fraudulent transfers, and reissue tokens to legitimate holders. Where a decentralized network would be forced into a wrenching debate over rolling back valid transactions, a centralized issuer can simply act.
But that same power is why the freeze is a paradox rather than a solution. Freezing at scale means the issuer, not the protocol, decides which transactions are legitimate. It concedes that the stablecoin was never censorship-resistant to begin with. And it introduces a race condition an attacker will try to win: convert the stolen stablecoins into assets the issuer cannot freeze before the blacklist lands.
A quantum thief holding freshly stolen stablecoins has minutes, not days. The obvious escape is to swap into a truly decentralized, non-freezable asset, or to bridge across chains faster than issuers and exchanges can coordinate. This turns a quantum break into a liquidity sprint. The issuer’s freeze power is real, but it is reactive, and reactive defenses fail against an adversary who plans the exit before the attack.
The freeze switch that makes stablecoins recoverable after a quantum break is the same switch that proves they were never trustless. Recovery and censorship are the same lever pulled in opposite directions.
Harvest Now, Decrypt Later Already Applies
The most uncomfortable point is that the threat does not begin on the day a quantum computer arrives. Public blockchains are permanent, public archives. Every exposed public key, every transaction graph, every address that has ever revealed its key is recorded and downloadable today. An adversary does not need a working quantum computer now to benefit from stablecoin activity now. They can harvest the data and wait.
This harvest now, decrypt later dynamic is well understood in the context of encrypted communications, where NIST’s post-quantum standards and mandates like CNSA 2.0 are already driving migration, but it applies just as forcefully to on-chain value. The public keys behind today’s largest stablecoin wallets are already visible. When a cryptographically relevant quantum computer exists, those keys will not need to be discovered. They will simply be processed. Balances that still sit in those addresses, or in addresses derived from the same exposed keys, are effectively pre-marked targets.
That changes the timeline for defenders. The relevant deadline is not when quantum computers can break keys. It is when the value you are protecting must remain secure. Stablecoin reserves, treasury balances, and long-lived custody addresses need to be safe for years, which means the migration to quantum-secure signatures has to begin well before the machine that threatens them is built.
What Issuers Can Actually Do
The good news is that stablecoins, precisely because they are centrally issued and upgradeable, may be better positioned to migrate than fully decentralized assets. An issuer does not need to win a governance war to change signature schemes. It can plan a migration, coordinate with the chains it deploys on, and move reserves to quantum-secure custody on its own timeline. The question is whether issuers treat this as a genesis-level design constraint or a problem to defer.
- Adopt post-quantum signatures such as the NIST-standardized ML-DSA family for token authorization, accepting the larger signature sizes and throughput costs that come with them.
- Deploy on quantum-resistant chains or support address formats that avoid exposing public keys until spend, reducing the standing-target problem.
- Harden reserve infrastructure by migrating custody, settlement, and banking connections to post-quantum cryptography in parallel with the token layer.
- Publish a migration roadmap so holders, exchanges, and regulators can price the risk rather than discover it during an incident.
None of these steps is simple. Post-quantum signatures are dramatically larger than the ones in use today, which pressures fees and throughput. Coordinating a migration across multiple chains, wallets, and custody providers is an operational undertaking measured in years. But the alternative is worse: a stablecoin that reaches the quantum era with pre-quantum signatures and a reactive freeze switch as its only defense.
Where a Genesis-Quantum Design Like Quantus Fits In
The migration problem is hardest for systems that were never designed with the quantum threat in mind. This is exactly the gap that a network built to be quantum-secure from genesis is meant to close. Quantus is one of the clearest examples of that approach: rather than bolting post-quantum cryptography onto a live chain years after launch, it treats quantum resistance, privacy, and scalability as founding constraints rather than future patches.
That distinction matters for stablecoins in particular. An issuer deploying dollar-pegged value needs a base layer where quantum-secure signatures, private transfers, and real throughput already coexist, not one where adding any of them later breaks the other two. Quantus is designed around that combination from the start: ML-DSA-87 for quantum-secure signatures, recursive STARKs for quantum-resistant scaling, and a privacy layer for confidential post-quantum transactions. Because ML-DSA signatures are far larger than the elliptic-curve signatures live chains use today, retrofitting them into an existing system is exactly the kind of disruptive change a genesis-quantum design avoids. Value settled there does not inherit the standing-target problem that exposes pre-quantum wallets the moment they transact.
The appeal of a genesis-quantum chain is not that it is faster or cheaper today. It is that it never has to run the terrifying live migration that every pre-quantum stablecoin will eventually be forced into.
None of this makes quantum-native infrastructure a magic solution. Larger signatures still cost throughput, privacy still adds overhead, and any chain still has to earn liquidity and trust. But for value that must remain secure for years, starting from a quantum-resistant foundation removes the single most dangerous variable: the assumption that there will be enough time to migrate later. That assumption is exactly what the next section calls into question.
Why Claude Mythos Just Broke the Defender’s Time Advantage
Every reassurance about quantum risk rests on one shared assumption: that the timeline is predictable and that defenders will have enough runway to migrate before the threat matures. The arrival of frontier cybersecurity AI is what makes that assumption dangerous. When Claude Mythos entered preview in April 2026, it demonstrated something the security world had feared in the abstract for years: an AI capable of finding real, exploitable vulnerabilities at machine speed. In its early evaluations it surfaced hundreds of previously unknown flaws across major codebases, including a large batch in Mozilla’s browser engine and a bug in OpenBSD that had survived undetected for 27 years.
The concern is not that any single stablecoin contract is uniquely fragile. It is that the entire attack economy has changed shape. Anthropic’s Project Glasswing, a joint defense initiative launched with security leaders from Cisco, AWS, Microsoft, and Cloudflare, was created precisely because, in their words, exploits that once took months can now happen in minutes. When Cloudflare ran a Mythos preview across more than fifty of its own repositories, it found vulnerabilities its existing tooling had missed. Security analysts have flagged the same capability from the offensive side: an AI that can autonomously discover and chain exploits is a fundamentally new kind of attacker. The barrier to discovering a critical flaw has collapsed, and it has collapsed for attackers and defenders at the same time.
That symmetry is exactly the problem, because the underlying game was never symmetric to begin with. A defender has to protect every line of code, every contract, every custody integration. An attacker has to find one exploitable path. As the panel on IBM’s Mixture of Experts put it, an attacker only needs to find a single vulnerability, and AI amplifies that asymmetry to an extreme. For stablecoins, where a single compromised issuer contract, bridge, or hot wallet can put billions in motion, an attacker armed with a Mythos-class tool no longer needs quantum computing to be dangerous today.
The defender’s oldest advantage was time: the months between when a vulnerability existed and when someone found it. AI-driven discovery erases that buffer, and it erases it for the attacker first.
Now layer the quantum threat back on top. The same class of AI that compresses vulnerability discovery is being pointed at scientific research, and the bottlenecks in building a cryptographically relevant quantum computer are research problems: better error-correcting codes, more efficient circuit layouts, and lower fault-tolerance overhead. These are search-and-optimization problems of exactly the kind AI is proving good at. An AI system does not need to build a quantum computer to move its arrival forward. It only needs to compress the research cycles that stand between today’s noisy prototypes and a machine large enough to run Shor’s algorithm against real keys.
This reframes the entire risk calculus. A defender planning a multi-year signature migration is implicitly betting that both timelines stay slow: that AI will not find the fatal contract bug first, and that AI will not pull the quantum deadline forward mid-migration. The harvest-now-decrypt-later data is already sitting in public archives. Between AI-accelerated exploitation today and AI-accelerated quantum research tomorrow, the comfortable estimate that there will be enough time is the assumption most likely to fail.
The prudent response is not to predict the exact date. It is to stop treating the timeline as generous. Every month that AI accelerates both attack discovery and quantum research is a month subtracted from the migration window, and issuers who plan around the old, comfortable estimates may find that the future arrived while they were still drafting the roadmap.
The Money Is Already Moving Toward Quantum
Timelines do not accelerate on research breakthroughs alone. They accelerate on capital, and the capital is arriving. In late 2025 the Finnish quantum-hardware company IQM debuted on Nasdaq, becoming one of the first pure-play quantum computing firms to reach the public markets. A quantum company clearing the bar for a US listing is a signal that institutional investors now treat the field as a fundable industry rather than a distant science project.
That shift shows up across the hardware supply chain, too. The semiconductor and chip industry, tracked week to week by outlets like Semiconductor Engineering, is steadily folding quantum and post-quantum work into its roadmaps: fabrication partnerships, control-electronics advances, and error-correction research that all feed the same trajectory. When public markets, chipmakers, and AI research start pulling in the same direction, the pace of progress stops depending on any single lab.
A field that just produced its first Nasdaq-listed hardware company is not one you plan around as if it were a decade away. The funding milestones are the leading indicator; the cryptographic deadline is the lagging one.
For stablecoin issuers, the lesson is uncomfortable but simple. The threat is not waiting on a lone genius in a lab. It is being funded, industrialized, and accelerated by AI in parallel. Each of those forces alone would justify starting a migration early. Together, they turn a comfortable multi-year runway into a bet no custodian of hundreds of billions in value should want to make.
The Takeaway
Stablecoins are not more fragile than other crypto assets in any technical sense. They are more attractive. They pair enormous, dollar-stable value with the same pre-quantum signatures every other token relies on, they anchor that value to off-chain reserves running their own vulnerable cryptography, and they defend it with a freeze switch that is powerful but reactive. For a resource-constrained quantum attacker choosing where to strike first, that is close to an ideal target.
The threat is not hypothetical in the way it once was. The data is being harvested now, the deadline is set by how long today’s value must stay safe, and the migration is measured in years. And with systems like Claude Mythos now accelerating both attack discovery and the research that builds quantum machines, that runway can no longer be assumed to be long. The comfortable estimates are the ones most likely to fail.
Two futures follow from that. Value that migrates in time, or that lives on genesis-quantum infrastructure like Quantus, carries into the next era intact. Value that waits for a deadline it assumes is distant may discover, too late, that AI moved the deadline first. Whether stablecoins remain the most trusted instrument in crypto or become its most spectacular quantum casualty will be decided by choices issuers make well before the machine that threatens them ever powers on.
Sources and Further Reading
- Anthropic, Project Glasswing — joint defense initiative on AI-accelerated cyber threats.
- Cloudflare, Project Glasswing: what Mythos showed us — vulnerability discovery across its own repositories.
- Wikipedia, Claude Mythos — timeline of the preview release, evaluations, and export controls.
- IBM, Mixture of Experts: Claude Mythos, Project Glasswing and AI cybersecurity risks.
- Pluralsight, What is Claude Mythos? — benchmark details, including the OpenBSD and Firefox findings.
- Palo Alto Networks, What Are NIST PQC Standards? — ML-DSA, CNSA 2.0, and harvest-now-decrypt-later.
- IETF, Security Considerations for ML-DSA — signature structure and size implications.
- Quantus Network, quantus-network/chain — official node implementation and architecture.
- PostQuantum.com, Anthropic Mythos Preview and AI Offensive Security — analysis of AI-driven autonomous exploitation.
- Silicon Republic, Finnish quantum company IQM makes history with Nasdaq debut.
- Semiconductor Engineering, Chip Industry Week In Review — quantum and post-quantum work across the hardware supply chain.
- Japan AI, Claude Mythos and AI security (Japanese) — commentary on AI cybersecurity capabilities.