BTC Tools
← All guides

Guide · btccalcs.com

How much Bitcoin is quantum exposed?

Published 2026-06-23

Roughly 6.04 million BTC, about 30.2% of issued supply as of mid-2026, has a public key already visible on-chain, making it theoretically vulnerable to a sufficiently powerful quantum computer; estimates across Glassnode, Ark Invest/Unchained, Deloitte, and Chaincode Labs range from 25% to 35%.

Mechanism

Quantum exposure requires the public key Q to be visible on-chain. Three address-type buckets matter. (1) P2PK: the raw public key is encoded directly in scriptPubKey, so Q is permanently visible. About 5% of issued supply, mostly long-dormant early-mining coins. (2) Reused P2PKH (and reused P2WPKH): the key is revealed the first time a UTXO is spent; any coin re-sent to that same address is then exposed. About 5% to 7% of supply. (3) Unspent P2PKH / P2SH / P2WPKH: only the hash of Q is on-chain until first spend, so Q is hidden. Roughly 65% to 70% of supply sits in this bucket and is not currently exposed. Sum of exposed buckets: P2PK + reused-hash addresses ≈ 25% to 35% of supply, centered near 30.2% (6.04M BTC) as of mid-2026.

Detail

Exposed does not mean at immediate risk. No quantum computer currently breaks the secp256k1 elliptic curve. The largest demonstrated factoring runs and the largest published Shor-style ECC attacks remain many orders of magnitude below the qubit count, error rate, and runtime needed to derive a private key from a 256-bit public key. Exposure is a precondition for risk, not a measure of it.

For exposure to become an active threat, three things must change together: a fault-tolerant quantum computer reaches the millions of logical qubits required for ECDLP on secp256k1; the same machine sustains the wall-clock window needed to attack a key before its UTXO is moved; and Bitcoin has not migrated to a post-quantum signature scheme by then. Mainstream timelines from NIST, NSA, and academic surveys do not place this within the next decade, but the harvest-now-decrypt-later dynamic means the exposed set today is the attack surface for any future capability.

The exposed percentage has grown for two reasons. P2PK coins from 2009 to 2010 mining have never moved, so their share of issued supply shrinks only as new BTC is mined. And address reuse, while declining as a share of new activity, accumulates: every reused address adds to the permanently exposed set.

Holders can reduce exposure today by moving coins to a fresh address (ideally a SegWit P2WPKH or Taproot P2TR address) that has never signed a transaction. The act of spending reveals the source key, so the migration window is the single transaction. Treasuries should plan migration before any public PQC milestone, not after.

Sources

  1. Glassnode on-chain analytics, address-type supply distribution2024-09
  2. Deloitte: Quantum computers and the Bitcoin blockchain2022-04
  3. Ark Invest and Unchained: Bitcoin and the quantum threat2023-11
  4. Chaincode Labs: secp256k1 and post-quantum considerations2024-06

Related

Quantum Exposure Checker/tools/quantum-exposure-checkerHarvest Decrypt Later/tools/harvest-decrypt-laterTreasury Quantum Exposure/tools/treasury-quantum-exposure

FAQ

Model the numbers yourself →

What this leaves out. Educational content based on public filings and market data as of the published date. Not investment, accounting, tax, or legal advice. Verify all figures against primary sources before acting.