TL;DR: We walked the full chain (genesis to block 952,694, Bitcoin Core 28.0.0) and classified every UTXO by whether its public key is already visible on chain. 5,071,264 BTC - 25.3% of circulating supply - is quantum-exposed today, across 12,749,047 addresses. Reproducible to the satoshi. If you were mining or transacting here in 2009-2013, part of this number may be yours.
The breakdown (snapshot 2026-06-07, block 952,694):
Script type Class BTC Addresses % of at-risk
P2WPKH reuse-exposed 1,896,840 3,534,421 37.4%
P2PKH reuse-exposed 1,196,717 3,927,012 23.6%
P2PK always-exposed 853,247 22,223 16.8%
P2WSH reuse-exposed 675,992 88,940 13.3%
P2SH reuse-exposed 238,709 279,102 4.7%
P2TR always-exposed 209,759 4,897,349 4.1%
Total 5,071,264 12,749,047 25.3% of supply
1,822,794 BTC of the at-risk pool has had its pubkey exposed for 5+ years. The 853,247 BTC of P2PK is almost entirely 2009-2010 coinbase outputs - and the bulk of it maps onto the Patoshi pattern Sergio Lerner first documented years ago. But the ancient coins are NOT the headline: the single largest bucket is modern P2WPKH (bc1q) addresses that got reused after a spend. That is users today, not museum pieces.
On methodology - because the number depends on it. The draft post-quantum migration BIPs cite "over 34%" exposed. Wicked Smart Bitcoin's open-source dashboard measures 34.55% (block 951,000) with the conservative rule: every spent-from P2SH/P2WSH counts. We use strict redeem-script parsing: P2SH/P2WSH count only when the revealed script actually contains a pubkey-bearing opcode (pubkey push + CHECKSIG family, or CHECKMULTISIG). Timelock-only and hash-preimage scripts do not leak keys and are excluded by name. So 25.3% is the rigorous lower bound, 34.55% the conservative upper bound, and real exposure sits between them. All three measurements are public and the gap is explained, not hidden.
What this is not: not a CRQC timeline prediction (no such machine exists; serious estimates run 10 to 30 years), not a call to panic-migrate (every spend exposes your pubkey in the mempool window - mass migration during an actual quantum emergency would be the worst possible response), and not an altcoin pitch (the fix for Bitcoin is a Bitcoin soft fork, whenever consensus gets there).
What is actionable today: stop reusing addresses - 79% of the at-risk pool is reuse-exposed, all of it avoidable for free. And if you hold coins at P2PK or long-reused addresses from the early era: move them to a fresh hashed address on your own schedule, calmly. A botched consolidation today is a bigger risk to your stack than a quantum computer is.
References:Report & Baseline PDF (weekly Sunday snapshots):
https://chainquery.com/reports/quantum-exposurePlain-language explainer:
https://www.learnbitcoin.com/rabbit-hole/quantum-and-bitcoinEverything is re-derivable from a Bitcoin Core node: a getblock verbosity-3 chain walk builds the revealed-pubkey registry, then dumptxoutset joins the current UTXO set against it. Registry schema and RPC call shapes are in the PDF appendix.
