This is often repeated around here, but are there any documented, non-theoretical examples of that? Not talking about in 10 years, but today? Not trolling. Do you have any sources for that claim?
One verifiable source is that the bitcoin network collectively has completed ~2^80 hashing operations since the genesis block. This can be verified by looking at the cummulative difficulty of the best chain from genesis block to current. Granted it is has taken years and involved tens of thousands of specialized devices but it has been done. It is proven that humans can complete problems requiring on the order of 2^80 operations.
This site reports recommendations from various organizations of the minimum key lengths required to remain ahead of Moore's law.
http://www.keylength.com/en/compare/if you were only worried about today and today only the min key length for ECDSA is 152 to 224 bits. Bitcoin's current signature algorithm is good for at least a few decades. None show any concerns for breaking 256 bit ECDSA keys before 2040 and many show they will be good for decades beyond that.
I personally would not be concerned with using a reduced strength key (at least 80 bits). The economics of an attack would be incredible and you would only be at risk if you either reuse an address or if the attacker could complete the attack not in months or years but before the txn could be confirmed (i.e. within 10-30 minutes).
Today keys with 80 bit strength are generally considered insecure but honestly it is
probably beyond the capabilities of almost all attackers in the world. Three letter agencies of major world powers are probably the only entities with sufficient resources. There are no hard and fast rules simply because almost nobody builds computing systems on that scale and if they do they are probably highly classified. We also don't know the future. Who knows what systems major governments are building right now.
Still the idea of "probably secure" isn't considered good enough for most cryptographers. We don't necessarily know how much computing power the attacker has, so it is simpler to reverse it. How much computing power do we know the attacker can NOT have. If a brute forcing a key requires more than that then it is infeasible to break it. In other words I don't know what is the strongest key that the NSA has can crack but I do know they can't brute force a key with 128 bit security* using classical computing (and will not be able to do so for the next couple decades). Brute forcing a key with 256 bit security would require more energy than will be output by our star in its entire lifetime so it will remain infeasible long after we are dead and gone.
* This doesn't mean all 128 bit keys are forever secure. Future cryptanalysis may weaken the underlying algorithm such that a 256 bit ECDSA key someday can be brute forced in less than 2^128 operations. It also doesn't apply to things like weak passwords, brain wallets, etc. None of those involve a brute force attack against the keyspace. It also doesn't apply to esoteric concepts like quantum computing or reversible computing as they don't necessarily have the same energy requirements.