It depends. If funds had been sent in an M-of-N transaction with the output script exposing the public keys, the attacker can select the 20 private keys which belong to those public keys and create a new transaction spending the funds to himself. If the funds had been sent to a P2SH (pay-to-script-hash) address, and no funds have ever been spent FROM that address, then the attacker only knows the hash of the 20 public keys. In that case, he would have to brute-force it, trying every subset of 20 public keys from the 100. It turns out there are about 5.4 * 10^20 possible subsets, so it might not be possible to brute force in a reasonable time.