Bitcoin's quantum-exposed supply, measured: 5,071,264 BTC (25.3%)

[windpath]

TL;DR: We walked the full chain (genesis to block 952,694, Bitcoin Core 28.0.0) and classified every UTXO by whether its public key is already visible on chain. 5,071,264 BTC - 25.3% of circulating supply - is quantum-exposed today, across 12,749,047 addresses. Reproducible to the satoshi. If you were mining or transacting here in 2009-2013, part of this number may be yours.



The breakdown (snapshot 2026-06-07, block 952,694):

Code:

Script type   Class            BTC        Addresses    % of at-risk
P2WPKH        reuse-exposed    1,896,840  3,534,421    37.4%
P2PKH         reuse-exposed    1,196,717  3,927,012    23.6%
P2PK          always-exposed     853,247     22,223    16.8%
P2WSH         reuse-exposed      675,992     88,940    13.3%
P2SH          reuse-exposed      238,709    279,102     4.7%
P2TR          always-exposed     209,759  4,897,349     4.1%
Total                          5,071,264 12,749,047    25.3% of supply

For the old-timers specifically: 1,822,794 BTC of the at-risk pool has had its pubkey exposed for 5+ years. The 853,247 BTC of P2PK is almost entirely 2009-2010 coinbase outputs - and the bulk of it maps onto the Patoshi pattern Sergio Lerner first documented years ago. But the ancient coins are NOT the headline: the single largest bucket is modern P2WPKH (bc1q) addresses that got reused after a spend. That is users today, not museum pieces.

On methodology - because the number depends on it. The draft post-quantum migration BIPs cite "over 34%" exposed. Wicked Smart Bitcoin's open-source dashboard measures 34.55% (block 951,000) with the conservative rule: every spent-from P2SH/P2WSH counts. We use strict redeem-script parsing: P2SH/P2WSH count only when the revealed script actually contains a pubkey-bearing opcode (pubkey push + CHECKSIG family, or CHECKMULTISIG). Timelock-only and hash-preimage scripts do not leak keys and are excluded by name. So 25.3% is the rigorous lower bound, 34.55% the conservative upper bound, and real exposure sits between them. All three measurements are public and the gap is explained, not hidden.

What this is not: not a CRQC timeline prediction (no such machine exists; serious estimates run 10 to 30 years), not a call to panic-migrate (every spend exposes your pubkey in the mempool window - mass migration during an actual quantum emergency would be the worst possible response), and not an altcoin pitch (the fix for Bitcoin is a Bitcoin soft fork, whenever consensus gets there).

What is actionable today: stop reusing addresses - 79% of the at-risk pool is reuse-exposed, all of it avoidable for free. And if you hold coins at P2PK or long-reused addresses from the early era: move them to a fresh hashed address on your own schedule, calmly. A botched consolidation today is a bigger risk to your stack than a quantum computer is.

References:
Report & Baseline PDF (weekly Sunday snapshots):
https://chainquery.com/reports/quantum-exposure

Plain-language explainer:
https://www.learnbitcoin.com/rabbit-hole/quantum-and-bitcoin

Everything is re-derivable from a Bitcoin Core node: a getblock verbosity-3 chain walk builds the revealed-pubkey registry, then dumptxoutset joins the current UTXO set against it. Registry schema and RPC call shapes are in the PDF appendix.

[satashi_nokamato]

Don't get me wrong,  but when the QC powerful enough gets into the mix of breaking all and every vulnerable crypto systems,  no matter whether you have your public keys exposed or not.  In another term,  the world of internet and then the actual world we're living in is screwed.  Distance from secp256k1 and SHA256  is less than 1 in terms of breakability,  not to mention RIPEMD160 which is for now our most immediate concern.

Don't panic just yet,  there are solutions to prevent everything from going under the water.  It just requires less than 20k BTC  to fund the transition.

[d5000]

I always thought Satoshi's P2PK funds alone were more than a million coins already? Or has he used P2PKH already (I'm referring to Patoshi of course)?

These numbers are much better than I expected. The million coins in P2PK / P2TR plus a few ones in P2MS would not create more than a regular "dip" for the price if they're cracked, and it's very unlikely they'll be stolen in a single day or even a month (more likely in a year or so).

It's really time to introduce more measures against re-using addresses. Still many wallets do not even warn you when you do that ...

not a call to panic-migrate (every spend exposes your pubkey in the mempool window - mass migration during an actual quantum emergency would be the worst possible response),

I don't agree. If you already have coins on a reused address, then one spend more does not alter the picture. I think the more people "migrate" their coins from reused addresses to a fresh address, the better.

Of course nobody should migrate from a non-reused address without exposed public key, but ... where should they migrate to anyway?

[windpath]

Don't get me wrong,  but when the QC powerful enough gets into the mix of breaking all and every vulnerable crypto systems,  no matter whether you have your public keys exposed or not.  In another term,  the world of internet and then the actual world we're living in is screwed.  Distance from secp256k1 and SHA256  is less than 1 in terms of breakability,  not to mention RIPEMD160 which is for now our most immediate concern.

Don't panic just yet,  there are solutions to prevent everything from going under the water.  It just requires less than 20k BTC  to fund the transition.

Worth distinguishing the two quantum attacks: Shor's algorithm gives exponential speedup against ECDSA on secp256k1; that's the existential threat to exposed pubkeys. Grover's algorithm gives square-root speedup against SHA256/RIPEMD160; that's a weakening (256-bit -> 128-bit effective security for SHA256, 160-bit -> 80-bit for RIPEMD160), not a break. The "distance is less than 1" framing conflates the two. Pubkey hashes (P2PKH/P2WPKH) are quantum-safe in practice until first spend, even with a CRQC. On the 20k BTC migration funding estimate, interesting, what's that based on?

[windpath]

I always thought Satoshi's P2PK funds alone were more than a million coins already? Or has he used P2PKH already (I'm referring to Patoshi of course)?

These numbers are much better than I expected. The million coins in P2PK / P2TR plus a few ones in P2MS would not create more than a regular "dip" for the price if they're cracked, and it's very unlikely they'll be stolen in a single day or even a month (more likely in a year or so).

It's really time to introduce more measures against re-using addresses. Still many wallets do not even warn you when you do that ...

not a call to panic-migrate (every spend exposes your pubkey in the mempool window - mass migration during an actual quantum emergency would be the worst possible response),

I don't agree. If you already have coins on a reused address, then one spend more does not alter the picture. I think the more people "migrate" their coins from reused addresses to a fresh address, the better.

Of course nobody should migrate from a non-reused address without exposed public key, but ... where should they migrate to anyway?

Good point on already-exposed addresses; you're right that for reused addresses or P2PK/P2TR (pubkey already on-chain), one more spend doesn't change exposure. The "don't panic-migrate" framing was specifically about never-spent P2PKH/P2WPKH (pubkey still hidden behind hash). For those, panic-migrating during a quantum emergency means revealing the pubkey in the mempool window, exactly when the threat is acute.

For already-exposed addresses: agreed, migrate now. Best current target is fresh never-reused P2PKH or P2WPKH. After a post quantum signature BIP activates, migrate to PQ address types. P2WPKH today is the cleanest path for funds that need to move pre-PQ; pubkey stays hidden under the hash until first spend.