The debate over quantum computing and Bitcoin has fixated on one scenario: a powerful enough machine cracks a wallet's private key and drains the funds. Andrew Gault, a venture capitalist who has spent a decade funding the quantum hardware labs now building that capability, says that framing misses the more urgent threat by a wide margin.

"The financial system's most dangerous vulnerability isn't stored data, it's the data moving between institutions right now," Gault told CoinDesk in an interview published May 30, 2026 at 05:27 UTC.

Gault is CEO of networking firm ZeroTier and a founding partner of 7percent Ventures, whose portfolio includes British quantum computing startup Universal Quantum. His concern isn't the wallet keys sitting in cold storage. It's the encrypted authentication traffic — exchange API calls, bridge proofs, signed transactions broadcast into public mempools, and the back-channel signing traffic between cold storage and trading desks — that adversaries are capturing right now and storing for later decryption.

The strategy has a name in cryptography: harvest now, decrypt later. It requires no working quantum computer today, only cheap storage and patience. Adversaries accumulate encrypted traffic at scale, then decrypt it the moment quantum capability crosses the threshold.

"Every interbank message, every payment authentication record, and every digital signature traveling across a network today is being collected by sophisticated adversaries who don't need to read it yet," Gault said. "CISOs and security teams have been trained to protect data at rest. What nobody wants to say out loud is that the adversary's strategy has changed. They're patient, they have storage, and they're building a library of today's encrypted traffic to decrypt the moment quantum capability crosses the threshold."

Google's security team drew the same conclusion independently. In a March 2026 post, VP of security engineering Heather Adkins and senior cryptography engineer Sophie Schmieg set 2029 as Google's target for completing its post-quantum cryptography migration, citing progress on quantum hardware, error correction, and factoring resource estimates. The post stated plainly: "The threat to encryption is relevant today with store-now-decrypt-later attacks." Google said it had reprioritized its internal threat model specifically toward authentication services and digital signatures — the same wire-level signing infrastructure Gault points to.

The quantum timeline is tightening. Google's Quantum AI research published in March showed a sufficiently powerful quantum computer could derive a Bitcoin private key from an exposed public key in approximately nine minutes. The Global Risk Institute puts the probability of a cryptographically relevant quantum computer arriving by 2034 at between 19% and 34%.

The financial stakes extend well beyond crypto. Citi modeled a quantum-enabled attack on a single top-five U.S. bank's access to the Fedwire Funds Service in February 2026, estimating it could trigger a $2 trillion to $3.3 trillion economic cascade — equal to 10% to 17% of real U.S. GDP.

Not everyone frames the wallet-key threat as dire. CoinShares argued in February that the concern is overstated, estimating roughly 10,200 BTC are concentrated enough in vulnerable addresses to materially move markets if stolen. The total addressable attack surface for the wallet-key vector, in other words, is bounded. Gault's wire-level threat is not.

"The particularly uncomfortable reality for financial institutions is that the authentication records being harvested aren't just sensitive," he said. "It's the proof layer that determines who owns what, who authorized which transaction, and who bears legal liability."

The gap in preparedness is stark. Ethereum has launched a coordinated post-quantum migration. Bitcoin has not. Major crypto exchanges and custodians — where the bulk of authentication and signing traffic moves — have not publicly committed to one either.

The industry's attention is on the right technology and the wrong target. The wallet keys in cold storage may survive long enough to migrate. The signed packets already moving across the open internet will not get a second chance.

This story has no on-chain metrics. The verified-claims block does not apply.