We are mapping Bitcoin’s exposure to quantum threats, differentiating between systemic and operational origins of public-key visibility across the network.
Recent investigations have highlighted a growing concern within the Bitcoin ecosystem: which coins are currently susceptible to quantum computing threats while in storage? The critical factor is whether the public key required for spending a coin is already accessible on the blockchain. By this metric, 6.04 million BTC, representing 30.2% of the total circulating supply, is exposed, while the remaining 13.99 million BTC, or 69.8%, shows no readily available public-key exposure at rest. These figures align closely with prior published research [1].
We categorize this exposure into two distinct types. The first is structural exposure: transaction outputs where the script type inherently exposes the public key. The second is operational exposure: coins that might have been initially secured but have since had their public keys exposed due to practices like address reuse, partial spending, or specific custody behaviors, while the BTC remains associated with them.
Structural exposure accounts for 1.92 million BTC, approximately 9.6% of the issued supply. The more significant portion stems from operational exposure, totaling 4.12 million BTC, or 20.6%. Within this latter category, balances associated with exchanges alone constitute 1.63 million BTC, equivalent to 8.1% of all issued BTC, highlighting the critical role of wallet security practices and custody management in mitigating public-key exposure.
This analysis does not venture into speculating on the feasibility or timeline of practical quantum attacks against Bitcoin, nor should it be interpreted as a commentary on the security or financial stability of any specific custodian. It serves as a data-driven perspective: a method for quantifying the extent of existing public-key exposure, identifying which portions are likely permanent, and which could be reduced through enhanced wallet and custody procedures.
Public-Key Exposure, Simplified
Bitcoin assets are controlled via private keys. Public keys function as the corresponding verification elements, enabling the network to confirm that a valid signature originates from the private key holder. Under current cryptographic principles, the public key can be openly known because deriving the private key from it is considered computationally infeasible.
The quantum computing concern is that a sufficiently advanced Cryptographically Relevant Quantum Computer (CRQC), employing Shor’s algorithm, could theoretically retrieve a private key from a known public key. In this context, the relevant on-chain question is straightforward:
Has the public key already been disclosed?
If the public key is already visible on the network, the associated coin is considered exposed. An attacker would not need to await the owner’s transaction to act; the public key is already accessible. If the public key remains concealed on-chain, the coin is not presently vulnerable under this specific at-rest exposure model.
ℹ️At-Rest vs. On-Spend Exposure: This article concentrates on at-rest exposure, referring to BTC currently held in outputs where the corresponding public key is already identifiable. This differs from an on-spend scenario, where the public key is revealed only upon the broadcast or confirmation of a transaction. On-spend exposure relates to timing and settlement challenges, whereas at-rest exposure represents a quantifiable segment of the supply. Consequently, “safe” in this context signifies “not presently exposed at rest,” rather than complete post-quantum invulnerability against all potential future attack vectors.
The exposed supply is divided into two categories: structural exposure (1.92 million BTC, 9.6%) and operational exposure (4.12 million BTC, 20.6%).
Structural Exposure: Inherent Vulnerability
The initial source of at-rest exposure arises from structural elements. In these configurations, the output type itself inherently discloses the public key, irrespective of the owner’s adherence to diligent address management practices.
This category includes older Pay-to-Public-Key (P2PK) outputs (from Satoshi and the early Satoshi Era), traditional multisignature schemes like Pay-to-Multi-Signature (P2MS), and even contemporary Taproot (P2TR) outputs. While these script types differ significantly in their historical context and intended use, they share a common characteristic within this analysis: the public key, or a functional equivalent, is by default visible on the blockchain. From a quantum computing standpoint, any Bitcoin locked via these methods is therefore a potential target while it remains unspent.
We currently classify 1.92 million BTC, or 9.6% of the issued supply, as structurally insecure. This segment is further divisible into three distinct analytical sub-categories:
The Satoshi and early Satoshi-era coins represent the most enduring form of structural exposure. If these coins are misplaced, abandoned, or held by inactive parties (including Satoshi himself), they cannot be voluntarily moved to more secure address formats. Consequently, they may remain exposed indefinitely unless the network eventually implements a broad, and likely contentious, protocol-level solution.
Taproot introduces a significant modern consideration. While Taproot is not inherently flawed in Bitcoin’s general design philosophy, enhancing privacy, efficiency, and scripting flexibility, it does present structural exposure in this specific public-key visibility framework because the Taproot output key is visible on-chain. The proposed Pay-to-Merkle-Root (P2MR) output in BIP-360 can be viewed as a measure to address this prolonged exposure issue, aiming to offer Taproot-like script-tree capabilities while eliminating the quantum-vulnerable key-path spending mechanism. It is not a comprehensive post-quantum solution and does not automatically migrate existing Taproot outputs [2].
Therefore, the crucial insight is not merely that 1.92 million BTC is exposed by its design. It is also that a portion of this exposure may be practically immovable, while another part could potentially be reduced through advancements in wallet infrastructure, address standards, and user practices.
Operational Exposure: Vulnerability Through Practice
The second category of at-rest exposure stems from operational factors. These outputs are not inherently vulnerable due to their design. Instead, they become exposed because the public key has already been revealed while the associated BTC remains linked to the same address, key, or script configuration.
This phenomenon is commonly known as the address-reuse problem. Output types such as Pay-to-Public-Key-Hash (P2PKH), Pay-to-Script-Hash (P2SH), Pay-to-Witness-Public-Key-Hash (P2WPKH), and Pay-to-Witness-Script-Hash (P2WSH) can conceal public keys behind hashes while coins are dormant. However, once a public key is exposed in a transaction, any remaining or subsequent balance linked to that same key loses its protective obscurity. The coin then falls into the at-rest exposed set because its public key is already known [1].
Operational exposure constitutes the larger segment within the Glassnode dataset. We classify 4.12 million BTC, or 20.6% of the issued supply, as operationally insecure. This figure is 2.1 times larger than the structurally insecure balance. The primary takeaway is that the majority of current at-rest exposure is not solely a consequence of legacy script design but rather a result of key and address management practices.
Exchanges represent the most significant identifiable subset. Within the operationally insecure category, 1.66 million BTC, or 8.3% of the total supply, is linked to exchanges. This accounts for approximately 40% of all operationally insecure BTC. Relatively speaking, this is also a substantial amount, with roughly half of the identified exchange-held BTC falling into the vulnerable category, compared to less than 30% of non-exchange supply.
Entity-level data indicates that this exposure is not uniformly distributed. Certain custodians exhibit comparatively lower exposure according to this methodology, while others hold a significantly larger proportion of their identified balances in outputs where public keys are already discernible.
For instance, among major exchanges, balances associated with Coinbase appear predominantly in non-exposed structures (only 5% exposed balance). In contrast, Binance and Bitfinex show a comparatively higher proportion of susceptible balances under this analytical framework – 85% and 100%, respectively.
Beyond exchanges, the exposure among other identified entities exhibits similar heterogeneity. Fidelity and CashApp are near 2%, Grayscale at approximately 50%, while Robinhood and WisdomTree are fully exposed at 100%.
Sovereign treasuries, however, demonstrate largely no public-key exposure: the US, UK, and El Salvador all show 0% quantum exposure.
⚠️IMPORTANT: It is crucial to understand that the data presented herein should not be construed as an immediate risk assessment, a solvency indicator, or a declaration regarding the security of any specific exchange or custodian. It simply illustrates that the design of custody solutions leaves a discernible on-chain record.
Looking at the broader trends, these disparities among entities are persistent. Government-held assets have consistently maintained over 99% operational safety for years. In contrast, exchanges, facing more complex wallet management challenges, have seen their operational safety share decline from approximately 55% in 2018 to around 45% currently. This trend is readily reversible through standard address management protocols (e.g., avoiding reuse, rotating change outputs).
Monitoring Capabilities Provided by the Data
Bitcoin’s vulnerability to quantum threats can be segmented into categories with distinct implications.
The structurally insecure bucket includes a legacy component that may be challenging or impossible to migrate, alongside a contemporary component that could become more effectively managed through standards like P2MR. The operationally insecure bucket is larger and reflects the practical realities of coin management. Within this category, exchanges constitute a substantial, identifiable, and potentially transferable subset.
Consequently, the operational insight is clear: readiness for quantum computing is not solely a protocol-level concern. A significant portion of measurable exposure resides with active entities capable of reducing it through current operational choices. For exchanges and custodians, maintaining good address hygiene, effective reserve management, minimizing key reuse, and proactive migration planning are not abstract future considerations—they are actionable strategies for diminishing observable exposure.
Until then, this analysis should be interpreted narrowly. It is not a prediction of quantum timelines, an estimation of exploit probability, or an assertion that exposed coins face imminent risk. It provides a foundational map of where Bitcoin public keys are currently visible and where opportunities for reducing that exposure are most quantifiable.
References
[1] Google Quantum AI, “Securing Elliptic Curve Cryptocurrencies Against Quantum Attacks”, March 2026.
[2] Bitcoin Improvement Proposals, “BIP-360: Pay-to-Merkle-Root (P2MR)”, December 2024
- Follow us on X for timely market updates and analysis
- Join our Telegram channel for regular market insights
- For on-chain metrics, dashboards, and alerts, visit Glassnode Studio
Based on materials from : insights.glassnode.com