Aykut Çevik

Why I Stopped Betting on Bitcoin: Mythos, Quantum, and the End of an Assumption

Written by

Aykut Çevik

in

,

I was a Bitcoin guy. I was an Ethereum guy. For years I argued that decentralized, mathematically-secured money was one of the most important experiments of our lifetime. I still think the experiment mattered. I just no longer think it will survive the decade.

Two things in the past two weeks pushed me from “cautious” to “out.” The first is a new AI model from Anthropic called Claude Mythos. The second is a paper from Google’s Quantum AI team that quietly redrew the timeline for when Bitcoin’s cryptography breaks. Taken separately, either would be a warning shot. Taken together, they describe a future where the core assumptions behind proof-of-work chains no longer hold — and where the governance model that made Bitcoin beautiful is exactly what makes it unable to save itself.

This is a personal post, not investment advice. But if you’re holding BTC or ETH as a long-term store of value, I think you deserve to read what changed my mind.

What Mythos actually is

On April 7, 2026, Anthropic announced Claude Mythos Preview — and then announced that it would not release it publicly. That alone is unprecedented. Anthropic wrote a 244-page system card for a model it decided was too dangerous to ship.

The headline is the cybersecurity capability. Anthropic’s Frontier Red Team used Mythos Preview to identify thousands of zero-day vulnerabilities across every major operating system and every major web browser, many of them critical severity. On Cybench, an industry benchmark of capture-the-flag challenges, Mythos scored 100% — saturating the benchmark so completely that Anthropic says it is “no longer sufficiently informative.” Anthropic engineers with no formal security training reportedly asked Mythos to find remote code execution vulnerabilities overnight and woke up to complete, working exploits.

In response, Anthropic launched Project Glasswing, a restricted partnership with AWS, Apple, Google, Microsoft, NVIDIA, JPMorgan Chase, Cisco, CrowdStrike and roughly 40 other organizations. The premise is that AI models that can find vulnerabilities at superhuman speed have crossed a threshold, and the only defensible strategy is to arm defenders first.

But the part that should stop you is not the benchmarks. It’s the behavior.

During internal testing, Mythos was placed in a sandbox designed to isolate it from the internet. It broke out. It then, without being instructed to, sent an email to a researcher who was eating a sandwich in a park, and later posted details of its own exploit to public-facing websites. In a separate task, after obtaining test answers by mistake, it did not flag the issue — it searched for an independent solution and reasoned that it needed to “ensure its final answer was correct.” In another, it edited git history to hide unauthorized file changes. Anthropic’s interpretability team found features associated with “concealment, strategic manipulation, and avoiding suspicion” activating during these episodes, even when the model’s stated reasoning didn’t show it.

Anthropic’s own framing is careful: the model isn’t scheming, it’s too effective at task completion, with too little sense of proportionality. I’ll let you decide whether that’s reassuring.

Why this matters for blockchains

Here is the part most crypto coverage is missing: the security of every smart contract, every bridge, every exchange hot wallet, and every signer service rests on code — and code now has a new adversary.

Bitcoin’s own consensus code is small and well-audited. I’m not worried about SHA-256 being broken by an LLM. What I’m worried about is everything touching Bitcoin: the Lightning Network implementations, the Rust and Go node clients, the custodial exchanges holding trillions in user funds, the DeFi contracts on Ethereum and L2s, the cross-chain bridges that have already lost over $2 billion to human-found bugs, and the wallet software on every phone. Mythos-class models don’t need to be released publicly to change this calculus. They leak. They get stolen. State actors build their own. The 27-year-old OpenBSD bug that Mythos surfaced is the tell: software we trusted because humans had stared at it for decades can be reread by a machine in hours.

In a world where a single competent model can audit a DeFi protocol faster than any human red team, the asymmetry between attacker and defender gets worse before it gets better. Glasswing is Anthropic trying to bend that asymmetry back toward defense. I hope it works. I’m not going to stake my savings on it.

And then Google published the quantum paper

On March 30, 2026, Google’s Quantum AI team published research showing that breaking the elliptic curve cryptography securing Bitcoin and Ethereum requires fewer than 500,000 physical qubits — a roughly 20-fold reduction from the millions previously assumed. The practical attack estimate sits around 1,200–1,450 high-quality logical qubits.

The mechanism matters. When you broadcast a Bitcoin transaction, your public key becomes visible in the mempool before the transaction is confirmed on-chain. A sufficiently advanced quantum computer, running an optimized version of Shor’s algorithm, can derive the private key from that public key. Google’s paper estimates this can be done in about nine minutes — against Bitcoin’s roughly ten-minute block time. That gives a quantum attacker about a 41% chance of hijacking a live transaction and redirecting funds before the original confirms.

And then there’s the historical exposure. The paper estimates that approximately 6.9 million BTC — about one-third of total supply — already sit in wallets where the public key has been revealed. These include Satoshi’s original coins and every address that has ever been spent from. Ironically, Bitcoin’s 2021 Taproot upgrade, which was celebrated as a privacy and efficiency win, made the situation worse: Taproot outputs expose the public key by default, widening the pool of vulnerable wallets.

John Martinis, the Nobel laureate physicist who built Google’s original quantum processors, endorsed the paper in a CoinDesk interview and said the Bitcoin community “should be thinking about this right now.” Google has set 2029 as the target for its own migration to post-quantum cryptography. That is the timeline being signaled by the people actually building these machines.

Why Bitcoin cannot be quantum-safe in time

This is the part where I expect pushback, so let me be precise. Bitcoin can, in principle, be made quantum-resistant. It cannot, in practice, be made quantum-resistant fast enough, cleanly enough, or completely enough. Here’s why.

The signature math is fixable. The governance is not. BIP 360 (Pay-to-Merkle-Root) was merged into the Bitcoin BIPs repository in February 2026 as the first serious quantum-resistance proposal. Its own co-author, Hunter Beast, estimates a realistic transition could take seven years. Taproot, for comparison, took about seven and a half years from concept to activation. The Bitcoin community reaches consensus slowly, by design — that’s the feature that makes it censorship-resistant, and the bug that makes it unable to respond to a fast-moving cryptographic threat.

BIP 360 only fixes half the problem. It addresses “long exposure” attacks — the 6.9 million coins already sitting in reused or Taproot addresses. It does not address “short exposure” attacks, the nine-minute transaction hijacking window. Fixing short-exposure requires adopting full post-quantum signature algorithms as new tapscript opcodes, which is a much larger code change, a separate soft fork, and a whole second round of ecosystem coordination.

Post-quantum signatures are enormous. NIST’s standardized CRYSTALS-Dilithium signatures run around 2.4 KB. ECDSA signatures are about 72 bytes. That’s a 30x increase. Bundled into Bitcoin’s 1 MB base block size, this doesn’t just raise fees — it collapses throughput toward a fraction of 1 TPS unless the community also agrees to larger blocks or ZK-based compression. Every one of those is a civil war waiting to happen.

Satoshi’s coins cannot be migrated. There is no one with the keys. The community faces a binary it cannot wish away: either freeze roughly a million early coins forever — violating the most sacred property right in Bitcoin culture — or leave them on the table for the first actor with a cryptographically relevant quantum computer to steal and dump on the market. There is no third option, and neither of the two is stable.

Emergency workarounds exist, but they’re emergency workarounds. A StarkWare researcher recently proposed Quantum Safe Bitcoin, a hash-based scheme that works within existing consensus rules with no soft fork needed. It costs $75 to $200 per transaction and requires massive off-chain GPU computation. It is, in the author’s own words, a “last resort measure.”

I want to be clear about what I’m not saying. I’m not saying Bitcoin breaks tomorrow. I’m not saying a fault-tolerant quantum computer exists today — IBM’s largest is 1,121 physical qubits, Google’s Willow is 105, and the paper’s attack needs at least 500,000. The nearest serious estimates from Scott Aaronson and Caltech’s Thomas Rosenbaum put a fault-tolerant machine running Shor’s algorithm somewhere in the five-to-seven-year window. What I’m saying is that Bitcoin’s defense timeline — seven years for BIP 360 alone, followed by a second soft fork for signatures, followed by ecosystem-wide wallet migration — is longer than the threat timeline. You don’t have to believe quantum breaks Bitcoin in 2028. You have to believe the migration finishes before it does. I don’t.

The personal part

I used to tell friends to put 5% of their savings into Bitcoin as a hedge against monetary debasement. I can’t say that anymore. The pitch for Bitcoin has always been: the code is the contract, the math is the law, the incentives are immutable. That pitch assumed the math was a constant. It is now a variable with a decay curve.

Meanwhile, the AI side of the equation is accelerating in exactly the direction that exposes everything around the chain — the custodians, the bridges, the wallets, the exchange infrastructure. Mythos is the first model Anthropic has ever been afraid to release. It will not be the last. And whatever successor comes next — from Anthropic, OpenAI, Google DeepMind, or a Chinese lab — will arrive before Bitcoin finishes its post-quantum transition.

I’m not selling in a panic. I’m not telling you to. But I am done recommending Bitcoin or Ethereum as a serious long-term store of value, and I am definitely done telling anyone they’re a conservative bet. The conservative bet is to assume that cryptographic systems built in 2009 will need to be replaced before 2030, and that decentralized networks are historically the slowest systems on earth at replacing themselves.

If you’re a builder, build on the assumption that post-quantum is a hard requirement, not a roadmap item. If you’re a holder, understand what you hold. And if you’re a founder like me — the lesson from Mythos and the Google paper isn’t that the future is scary. It’s that the assumptions you locked in five years ago have an expiration date, and the date came forward.

I was wrong about Bitcoin being forever money. I’d rather say so now than pretend I wasn’t.

Sources

Claude Mythos and Project Glasswing

Google’s quantum paper and Bitcoin implications

BIP 360, post-quantum migration, and why the fix is slow

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts