How we watch Satoshi's wallets
Everything we do is based on publicly verifiable on-chain data and open research. This page explains where the address list comes from, how our monitor works, and why quantum computing adds an independent urgency to watching these wallets.
Sergio Lerner's forensic breakthrough
In 2013, Argentinian cryptographer Sergio Demian Lerner published a series of blog posts that changed how the Bitcoin community understood its own early history. By analysing thenExtraNoncefield in coinbase transactions — a counter that increments each time a miner restarts their mining software — he found a highly distinctive pattern.
One miner, mining from approximately block 1 through to block 54,000 (spanning 2009–2010), had a consistent and unique nonce fingerprint unlike any other. This miner never shared hash rate with others, ran software that incremented nonces in a specific range, and mined with extraordinary consistency. Lerner named this entity "Patoshi" — a portmanteau of "pattern" and "Satoshi."
Crucially, this is probabilistic forensics — not cryptographic proof. The pattern is compelling enough that the research is widely cited and accepted within the Bitcoin research community, but it is not mathematically certain that Patoshi is Satoshi Nakamoto. It is the best evidence available.
Where our 21,953 addresses come from
Each Patoshi-attributed block contains a coinbase transaction with an output that pays to a specific public key. These public keys are embedded directly in thescriptPubKeyfield of the output — a format called Pay-to-Public-Key (P2PK), which was used in the very earliest Bitcoin transactions before the more common Pay-to-Public-Key-Hash (P2PKH) format was introduced.
Because the public key is embedded directly in the script (rather than its hash), these public keys have always been visible to anyone reading the blockchain — a fact that becomes significant when considering quantum risk.
Developer Ben Sigman compiled these public keys into an open-source dataset:github.com/bensig/patoshi-addresses ↗. This is the dataset we use.
To convert those public keys into standard Bitcoin addresses, we apply the canonical derivation:
The resulting addresses are standard Bitcoin P2PKH addresses beginning with "1". Our full derivation script is reproducible — anyone can run it against the same source data and arrive at the same 21,953 addresses.
Real-time, block-by-block surveillance
Our monitor runs 24/7 on a dedicated server and connects to themempool.space ↗websocket API — the same infrastructure used by Bitcoin developers and block explorers worldwide.
When a new block is confirmed, we fetch every transaction in that block and scan its inputs. A transaction input contains a reference to a previous output — if any of those referenced outputs belong to a Patoshi address, we have a match.
We also poll the unconfirmed mempool every 10 minutes, meaning we can detect a Patoshi spend before it even confirms into a block — typically 2–8 minutes faster than waiting for confirmation.
All 21,953 addresses are held in memory as a hash set, so each transaction input lookup is constant-time regardless of how many addresses we watch. False positives are impossible — a match requires the input to reference a UTXO held by an exact Patoshi address.
Why Patoshi's wallets face a unique quantum risk
Bitcoin's security rests on two layers of cryptography: the elliptic curve discrete logarithm problem (ECDLP), which protects private keys, and SHA-256 / RIPEMD-160 hashing, which hides public keys in modern addresses. Patoshi's wallets only have the first layer.
Because Patoshi mined using the early P2PK output format, the raw public keys are permanently visible on the blockchain — there is no hash obscuring them. This matters because Shor's algorithm, running on a sufficiently powerful quantum computer, can theoretically derive a private key directly from its corresponding public key. With the public key already exposed, Patoshi's coins skip the only step that would otherwise protect them.
How far away is this threat?
Closer than most people think. Industry roadmaps — led by IBM, Google, Microsoft, Amazon, and Intel — suggest quantum computers may be capable of breaking ECDSA cryptography in as little as 2–5 years. The US federal government has issued a mandate to phase out ECDSA entirely by 2035.
Even accepting the most optimistic timeline, a Bitcoin-wide response would require changes at the protocol level, the software level, the infrastructure level, and ultimately user-level key migrations — a process that takes years in a decentralised network. The window to act is narrower than the countdown to the threat itself.
For Patoshi's wallets specifically, no migration is possible without the private keys. If Satoshi is unable or unwilling to move the coins to quantum-resistant addresses before a capable quantum computer exists, those keys become permanently vulnerable. A state actor or well-resourced private entity cracking one would produce a transaction indistinguishable from a voluntary Satoshi spend — and our monitor would fire either way.
What this is — and isn't
The Patoshi pattern is the strongest evidence we have, but it is forensic analysis, not cryptographic proof. It is possible — though unlikely — that Patoshi was a different early miner.
Our system only fires when a Patoshi address is used as a transaction input (i.e., spending coins). People can and do send dust or small amounts to Patoshi addresses — we ignore all of that.
If an alert fires, it means a private key was used — but we can't tell you whether it was Satoshi, an heir, a hacker, or a quantum computer. The alert tells you a move happened, not why.
Our 21,953 addresses are derived from the bensig dataset, itself based on Lerner's block attribution research. Blocks at the edge of the Patoshi pattern are less certain, and future research may add or remove addresses.
You've read the methodology. Now make sure you're on the list.
Get the alert →