"larger than merely stealing some Bitcoin"

It's US$2 billion. I can't imagine a better way of monetizing such an exploit than to convert it into cash by using Bitcoin.

The US govt can't pay you US$2 billion without it showing up as a line item in the federal budget. That's like 20% of the NSA's funding. You'd have to get authorization from the President and hold some emergency session of Congress. Other governments would pay less.

Hacking the normal banking system is also challenging. If you steal US$2 billion someone is going to notice and simply undo the transaction because banking doesn't believe in "code as law".

Changing global politics (e.g. allowing the complete decryption of diplomatic messages) has a value and magnitude of impact that is not easily measured in dollar terms.

Assuming you're just some random person and not the govt, why would you care?

Everyone will switch to one-time pads if you released it publicly. And you'd have to be very patriotic to give it secretly to the government.

I’ve spent the last 15 years working in cryptography. I’m now running a startup making quantum computers. I know my customers :)

Switching to one-time-pads is easier said than done. Upgrading to PQC will be complicated and difficult, and there is a lot of recorded historical messages.

You're looking at it wrong. There doesn't need to be a generalizable, embarrassingly parallel, computationally lower class, key reduction.

Just this specific implementation with these specific wallets maybe using a version of the btc code with a small recently discovered bug that existed say for 3 months in 2011

You can have something extremely localized and get this result. And this is exactly the behavior people have long game theoried would happen under such a scenario.

You're implicitly making the claim that just because you can't find something widely discussed in literature than any optimization of any kind is impossible and nobody would ever dare to keep an advantage in stealing bitcoin wallets secret.

Stuxnet is way less plausible than this yet that happened.

People have been trying to do this for a decade and have in aggregate thrown probably north of $100 million into it through separate efforts. The idea of someone finally succeeding is kind of expected.

Again the only claim I'm making here is that this is not only a non-zero chance, but, in my mind, an over 90%.

the most likely weakness is in the ECC implementation. i don't understand the math (who does?) but what the debate over https://safecurves.cr.yp.to/ tells me is that very few people know what a "weak curve" is but people agree that they exist. this has always made me sketch on ECC in general, especially since it is also used in Tor. Another possibility is compromising the RNG used for creating the pvt sig? which since these are early addresses they would have been from a very early version of the software, and might have used a shitty RNG. If this is a crack it could definitely be state level actors (who has the US pissed off lately? who have they not?). Whether it is state/private the goal would be to extract as much real money as possible before creating a panic, so will be interesting to see where the money goes.

FYI the “safe curves” charts are garbage self-promotion for his own crypto algorithms. I generally respect DJB, but he didn’t even try to be unbiased with that analysis.