Of 7M Quantum-Exposed BTC, Only 2.3M Are Past Saving

~6.9M BTC have on-chain-visible public keys. About 2.3M can't be migrated to quantum-safe addresses; the remaining

Of 7M Quantum-Exposed BTC, Only 2.3M Are Past Saving

The number sounds apocalyptic: roughly seven million Bitcoin — about a third of everything that will ever exist — sitting exposed to a machine that has not been built yet. The reality is more precise, and considerably less binary.

What Does '6.9M BTC Quantum-Exposed' Actually Mean?

Quantum exposure is a specific, measurable on-chain condition, not a vague fear. A coin is "exposed" when its public key is already visible in an unspent output, because a future cryptographically relevant quantum computer (CRQC) running Shor's algorithm could derive the private key from that public key and forge a valid spend. No wallet gets hacked, no seed phrase gets stolen — the signature scheme itself (secp256k1's elliptic-curve discrete-log problem) is what breaks. Three independent measurements now cluster in the same band, and the most-cited synthesis puts the practically stealable figure well below the seven-million headline.

Quick Answer: "Quantum-exposed" means a Bitcoin output's public key is already on-chain, where a future quantum computer could reverse it into the private key. Glassnode measures 6.04M BTC (30.2% of supply) exposed as of 20 May 2026 — but the Quantum Horizon paper splits that into ~2.3M irreversibly at risk and ~3.7M still migratable.

The estimates converge tightly. Glassnode measured 6.04 million BTC — 30.2% of issued supply — as quantum-exposed at rest, as of 20 May 2026. Coinbase's Independent Advisory Board report cited roughly 6.9 million BTC, and CoinDesk's coverage referenced a figure near 7 million BTC. As the Quantum Horizon paper (arXiv 2606.14484, June 2026) notes, all three land within roughly five percentage points of total supply — a rare consensus for a metric this contested.

The paper's more important contribution is the split. It adopts ~6.0 million BTC as its synthesis figure, then divides it into roughly 2.3 million BTC "irreducibly at risk" — where no surviving private key can authorize a migration — and roughly 3.7 million BTC still actionable. In other words, the number of coins that active owners can still protect is larger than the number already beyond rescue.

One clarification cuts through most of the alarmism: Bitcoin's mining and proof-of-work layer is not the attack surface. The theoretical Grover's-algorithm threat to SHA-256 is marginal and widely treated as a non-issue, leaving consensus and hashing fundamentally sound. The entire exposure sits at the wallet and signature layer. As reporting on the Coinbase report underscores, this is a key-management problem, not a network-integrity one.

"A decentralized network requiring broad consensus cannot upgrade as fast as a bank can — realistically Bitcoin's full transition is a five-to-ten-year effort," argues Jameson Lopp, framing the migration as a coordination challenge rather than a cryptographic dead end (source: The Currency Analytics).

Structural vs. Operational Exposure: The Two Buckets Driving the Headline Number

The quantum-exposed supply splits into two distinct buckets, and the distinction determines who can still act. Glassnode's on-chain measurement divides the roughly 6.04 million exposed BTC into structural exposure of 1.92 million BTC (9.6% of supply) and operational exposure of 4.12 million BTC (20.6%) . Structural exposure is baked into the script; operational exposure is a behavioral artifact of address reuse. Only the second bucket is broadly fixable through routine wallet hygiene.

Structural exposure covers address types where the public key is inherently visible in the output itself — regardless of whether the address was ever reused. These are legacy Pay-to-Public-Key (P2PK) outputs, bare multisig (P2MS), and Taproot (P2TR) key-path outputs, where the output key is published on-chain by design. P2PK alone accounts for roughly 1.7 million BTC across about 20,000 addresses, predominantly Satoshi-era and early-miner coins whose full public key is literally written into the scriptPubKey . Because the key is part of the script, no owner action short of moving the coins to a modern address can conceal it — and many of these coins have no reachable owner at all.

Operational exposure is the larger and more surprising bucket. Spending from a P2PKH, P2SH, P2WPKH, or P2WSH address broadcasts that address's public key to the chain. Any such address that still holds a balance after a spend is now exposed, even though its type is quantum-safe when unused. This is why the reporting emphasized live, custodied coins rather than lost ones: operational exposure "largely belongs to active users," and it is remediable simply by never reusing an address .

The unexpected story sits inside that operational bucket: exchange cold wallets. Glassnode attributes about 1.66 million BTC (8.3% of supply) to exchange-related operational exposure, driven by repeated deposits and withdrawals against the same custody addresses . Reuse rates vary sharply by venue — Binance and Bitfinex show materially higher exposure than Coinbase, whose labeled on-chain balances register roughly 5% exposure in Glassnode's methodology .

BucketAmount (share of supply)Address typesCauseFixable by hygiene?
Structural1.92M BTC (9.6%)P2PK, P2MS, P2TR key-pathPublic key embedded in output scriptNo — requires moving coins
Operational4.12M BTC (20.6%)Reused P2PKH, P2SH, P2WPKH, P2WSHSpending publishes the public keyYes — stop reusing addresses
— of which exchanges~1.66M BTC (8.3%)Custody cold walletsRepeated deposit/withdrawal reuseYes — rotate deposit addresses

The takeaway from the split is directional: the structural 1.92 million BTC is largely inert and hard to rescue, while the far larger operational 4.12 million — including that 1.66 million in exchange custody — is where address hygiene and migration can still move the needle before any capable machine exists.

Why 2.3M BTC Are Past Saving: The Irreversible-Loss Bucket

Roughly 2.3 million BTC are past saving because migrating a coin to a quantum-safe address requires signing a transaction with the coin's existing private key — and for this bucket, no one holds that key. The Quantum Horizon paper splits the ~6.0 million exposed supply into about 2.3 million BTC "irreducibly at risk" and about 3.7 million BTC still migratable . No protocol upgrade changes this arithmetic: a network cannot authorize a move on an owner's behalf without their signature, so keys that are gone stay gone.

The irreducible pile is dominated by coins whose private keys are presumed permanently inaccessible. The largest component is Satoshi-era Pay-to-Public-Key output — on the order of 1.7 million BTC across roughly 20,000 addresses, largely long-lost or dormant . Added to that are wallets whose seed phrase was lost and long-dormant outputs with no verifiable active owner. These coins are not merely exposed like a reused exchange address; they are the outputs a cryptographically relevant quantum computer could theoretically drain with zero recourse, because no legitimate party remains to sign a protective migration transaction.

That distinction — exposed-but-defensible versus exposed-and-orphaned — is what turns a technical problem into a governance one. The Coinbase-linked advisory framing lays out three approaches without endorsing one :

  • Freeze / burn — set a protocol deadline after which vulnerable outputs are frozen, capping the supply a future attacker could steal but overriding the "not your keys, not your coins" principle for coins nobody can move anyway.
  • Preservation — enable post-quantum addresses but leave the risk with owners, on property-rights grounds; nothing is confiscated, but the 2.3 million remains a standing target.
  • Intermediate measures — including an "Hourglass" design that rate-limits movement from legacy addresses per block, zero-knowledge tooling, and pre-signed protected transfer commitments (PACTs) that let an owner pre-authorize a safe migration path .

The disagreement is genuine. Tim Draper calls the fears overblown, while Jameson Lopp argues a decentralized network requiring broad consensus cannot upgrade at a bank's pace.

"A decentralized network needing broad consensus cannot upgrade as fast as banks," warns Jameson Lopp, who estimates Bitcoin's full transition would take five to ten years (source: Quantum Horizon / Lopp).

The practical implication for readers is blunt: the 2.3 million figure is a ceiling on unavoidable loss, not a warning you can act on personally. If you can still sign for your coins, you belong to the 3.7 million migratable group, not this one — a line the next section on quantum-attack mechanics makes concrete.

How a Quantum Attack Would Actually Work — and How Far Away the Hardware Is

A quantum attack on Bitcoin steals coins by forging signatures, not by out-mining the network. The specific method is Shor's algorithm solving the elliptic-curve discrete logarithm problem (ECDLP) on the secp256k1 curve — deriving a private key directly from a public key that is already visible on-chain . No network access, node control, or 51% hashpower is required; the attacker only needs the exposed public key and a sufficiently large fault-tolerant quantum computer. This is why the consensus and proof-of-work layer is treated as fundamentally sound, while the wallet and signature layer is where the exposure lives .

The hardware bar is high but increasingly well-quantified. A March 2026 paper from Google, the Ethereum Foundation and Stanford (arXiv 2603.28846) estimates that breaking 256-bit ECDLP would need fewer than 1,200 logical qubits and under 90 million Toffoli gates — or fewer than 1,450 logical qubits with under 70 million Toffoli gates . On fast superconducting architectures running at a 10⁻³ physical error rate, the authors map that to under 500,000 physical qubits completing the computation in "minutes" . The Quantum Horizon model frames a wider band of roughly 1,200–2,330 logical qubits and about 0.5–320 million physical qubits .

Measured against 2026 reality, that threshold is not close. The best available devices operate at roughly 1,000–1,200 physical qubits with at most about 100 stable logical qubits — orders of magnitude below the error-corrected logical-qubit count required . No cryptographically relevant quantum computer (CRQC) exists today . The gap is not raw qubit count alone but persistent decoherence and the error-correction overhead needed to sustain stable logical qubits long enough to run Shor's circuit — the practical wall blocking the threshold.

The underappreciated part is timing. Because a public key stays visible on the ledger permanently, any actor can copy exposed keys from today's blockchain and archive them, then crack those stored keys retroactively once a CRQC arrives — the "harvest now, decrypt later" dynamic . The consequence is blunt: the effective migration deadline is set by when your key is harvested, not by when the quantum machine finally works. A coin whose key is captured today is on the clock even if the break lands in 2045.

Quantum Timeline Probabilities: When Does This Become a Real Deadline?

The real deadline is not a fixed date but a probability curve, and the credible forecasts cluster in the medium term rather than the next few years. The Quantum Horizon paper (arXiv 2606.14484) models the arrival of a cryptographically relevant quantum computer (CRQC) as a bimodal distribution: roughly a 1-in-6 chance (~17%) by 2035, near 30% by 2040, and about 60% by 2050, with an 80% confidence band spanning approximately 2032–2060 . That spread is the practical planning window: wide enough to reject panic, narrow enough to reject inaction.

Expert panels read the risk more urgently. The Global Risk Institute's Quantum Threat Timeline Report 2025, drawing on 26 specialists, judges a CRQC within 10 years (by roughly 2035) "quite possible" at 28–49%, and within 15 years (by roughly 2040) "likely" at 51–70% . Those figures sit materially above the Quantum Horizon median scenario for the same horizon, which is why the reporting treats the timeline as contested rather than settled.

HorizonQuantum Horizon (arXiv 2606.14484)Global Risk Institute 2025 (26-expert panel)
By ~2035 (10 yr)~17% (1-in-6)28–49% ("quite possible")
By ~2040 (15 yr)~30%51–70% ("likely")
By ~2050~60%
80% confidence span≈2032–2060

Standards bodies have already stopped waiting for confirmation. NIST finalized its first three post-quantum cryptography standards on 13 August 2024 — FIPS 203 (ML-KEM), FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) — and urged administrators to begin migration planning immediately . The subtext is that the migration clock, not the hardware clock, governs preparedness.

For Bitcoin specifically, the gap between forecast and readiness is the crux. Jameson Lopp estimates a full network-wide transition to quantum-safe signatures would take five to ten years, precisely because decentralized consensus upgrades move far slower than a bank's internal migration.

"A decentralized network that needs broad consensus cannot upgrade as fast as banks can," argues Jameson Lopp, whose full-transition estimate runs to roughly five to ten years (source: The Currency Analytics).

Stack the numbers and the deadline logic becomes clear. If a CRQC is plausibly 10–15 years out and a full protocol migration takes 5–10 years, the migration must begin now to finish first . Combined with harvest-now-decrypt-later capture, the ecosystem's effective window is the near end of these ranges — not the comfortable median.

BIP-360, BIP-361, and the Post-Quantum Protocol Roadmap

Bitcoin's defensive roadmap currently rests on two draft proposals that tackle different slices of the exposure problem. BIP-360 (Pay-to-Merkle-Root) is the more targeted of the pair: assigned on 2024-12-18 and tracked at version v0.12.0, it removes the Taproot key-path spend so that P2TR outputs no longer publish a directly spendable public key, closing the "long exposure" window on those addresses . It is deliberately narrow. The proposal explicitly does not mitigate short-exposure mempool timing attacks, and it does not replace a full post-quantum signature migration — it seals one specific structural gap rather than the whole surface .

BIP-361, co-authored by Jameson Lopp, is the broader deprecation path. It proposes phasing out legacy signatures over time and barring new funds from being sent to quantum-vulnerable address types, which addresses both the structural bucket (P2PK, bare multisig, Taproot) and the operational bucket (reused P2PKH/P2WPKH addresses) rather than a single output class . In practice the two proposals are complementary: BIP-360 hardens what exists, while BIP-361 sets the sunset schedule for the vulnerable formats that keep the exposed supply large.

The harder engineering constraint sits in the signatures themselves. The post-quantum schemes NIST finalized — ML-DSA (FIPS 204) and SLH-DSA (FIPS 205), standardized on 2024-08-13 — produce signatures roughly 10 to 100 times larger than today's ECDSA signatures . That inflation carries directly into block-size demand and the fee market: fewer transactions per block, higher settlement costs, and throughput trade-offs the network must resolve before any broad activation is realistic . This is why the migration is framed as infrastructure work, not a single flag-day patch.

The Coinbase Independent Advisory Board — Yehuda Lindell (Bar-Ilan), Dan Boneh (Stanford), Scott Aaronson (UT Austin), Justin Drake (Ethereum Foundation), Sreeram Kannan (Eigen Labs/UW) and Dahlia Malkhi (UCSB) — recommends treating post-quantum migration as a medium-term infrastructure priority rather than a speculative concern . The recurring caution in that commentary is that even a 2035 migration target may be optimistic given Bitcoin's consensus dynamics.

"A decentralized network that needs broad consensus to change cannot upgrade as fast as banks can," argues Jameson Lopp, who estimates Bitcoin's full transition at five to ten years (source: The Currency Analytics).

The roadmap, then, is real but unfinished. BIP-360 and BIP-361 supply the mechanics, NIST supplies the algorithms, and the advisory board supplies the urgency — but the coordination cost of activating larger signatures across a permissionless network is the binding constraint that keeps this a multi-year program.

Your Risk Exposure by Address and Custody Type: A Decision Framework

Your personal quantum risk is not a single number — it is determined by the address type holding your coins and how those addresses have been used. The practical rule is simple: risk rises the moment your public key becomes visible on-chain, whether by design (P2PK) or by spending from a reused address (operational exposure). Glassnode's 20 May 2026 measurement splits 6.04 million exposed BTC into 1.92 million structurally exposed and 4.12 million operationally exposed , and every holder sits somewhere on that spectrum. Use the categories below to locate yourself and act accordingly.

P2PK (legacy, Satoshi-era outputs)

This is the highest structural risk tier. Pay-to-Public-Key outputs embed the raw public key directly in the scriptPubKey, so the key is exposed permanently regardless of spending behavior. P2PK accounts for roughly 1.7 million BTC across about 20,000 addresses, largely Satoshi-era or long-lost coins . If you actually control P2PK coins, migrate them now to a fresh native-SegWit (P2WPKH) or Taproot address with no reuse. Do not defer — a harvested key can be cracked later, so the deadline is set by when the key was first exposed, not when a working machine arrives.

P2PKH / P2SH with prior spend history

Reused addresses are operationally exposed: the public key was broadcast on the spend transaction and now sits permanently in the chain history . If you have ever spent from an address and still hold a balance there, treat moving that balance to a freshly generated address as a near-term priority, not a housekeeping task for later. This operational bucket is the larger and faster-growing category, which is precisely why the reporting drew attention.

P2WPKH / P2WSH or P2TR with no reuse

Single-spend or still-unspent outputs on modern address types carry lower current risk because the public key has not yet been published on-chain. Maintain strict no-reuse discipline: generate a fresh address for every receive, avoid consolidating into addresses you have already spent from, and monitor BIP-360 and BIP-361 deployment timelines so you can migrate when a quantum-safe path ships. Note that Taproot output keys are visible by design, which is one reason BIP-360 targets the key-path — so even here, discipline plus protocol upgrades both matter.

Exchange and custodian holdings

If your coins sit with a custodian, this becomes a due-diligence question rather than a wallet-hygiene one. Verify whether your provider has completed a cold-wallet address-reuse audit. Glassnode's on-chain methodology attributes about 1.66 million BTC (8.3% of supply) to exchange-related operational exposure, but the distribution is uneven: Coinbase-labeled balances measure only around 5% exposed, while Binance and Bitfinex show materially higher reuse rates . Ask your custodian directly where they stand.

Dormant or lost-key holdings

If you cannot sign — lost keys, inaccessible seeds — you are by definition inside the roughly 2.3 million BTC irreversible bucket . No individual action changes this outcome. The exposure here becomes a network-level governance question: whether the protocol chooses to freeze, preserve, or rate-limit these outputs before a CRQC exists. Your only lever is participating in that consensus debate, not moving coins you can no longer touch.

What the 2.3M vs. 4.6M Split Means for Bitcoin's Next Decade

The 2.3M-versus-4.6M split reframes Bitcoin's quantum exposure as two separate problems on two separate clocks. The roughly 2.3 million BTC in the irreversible bucket is a governance and property-rights question, not a technical one — no address hygiene retroactively re-hides a public key that is already on-chain . The roughly 4.6 million migratable BTC (the balance of the ~6.9M headline once the irreducible block is removed) is a closing window, where inaction today is what converts recoverable risk into permanent loss .

The size of that window is what makes the debate substantive rather than alarmist. Expert models place a cryptographically relevant quantum computer within a medium-term band — the Global Risk Institute's 2025 survey put a break within 15 years at a "likely" 51–70% across 26 experts . Because keys can be harvested now and cracked later, the practical deadline is set by when your public key is recorded, not by when the hardware arrives .

Industry reaction is genuinely divided, and both poles are grounded in real structural differences. Tim Draper characterizes the fears as overblown; Jameson Lopp counters that a decentralized network requiring broad consensus cannot upgrade at the pace of a centralized bank.

"A decentralized network needing broad consensus cannot upgrade as fast as banks," argues Jameson Lopp, who estimates Bitcoin's full transition at five to ten years (source: The Currency Analytics).

For traders, custodians, and builders, that gap between a 5–15 year threat band and a 5–10 year upgrade cycle sets a clear priority order:

  • Address hygiene now — never reuse an address; generate a fresh output for every receive to avoid publishing your public key.
  • Track the protocol path — monitor and testnet BIP-360's Merkle-root design and the BIP-361 proposal to bar sends to vulnerable address types.
  • Audit custody — exchanges and custodians should measure cold-wallet reuse rates, given exchange-related operational exposure of roughly 1.66 million BTC .
  • Plan for fees — post-quantum signatures can run 10–100x larger, pressuring block space when a PQC standard activates .

The takeaway is disciplined, not dramatic: the 2.3 million lost coins are the network's problem to debate, but the 4.6 million migratable coins are yours to protect — and the cheapest defense, stopping address reuse, costs nothing and works today.

Last updated: 2026-07-05. Reviewed against Glassnode, Quantum Horizon (arXiv 2606.14484), and Global Risk Institute 2025 data.

Frequently asked questions

Is my Bitcoin at risk from quantum computers right now?

No. No cryptographically relevant quantum computer (CRQC) exists in 2026, and current hardware — roughly 1,000–1,200 physical qubits and at most about 100 logical qubits — sits orders of magnitude below the threshold needed to forge a Bitcoin signature . Estimates put the requirement near 1,200–2,330 logical qubits and roughly 0.5–320 million physical qubits . The threat is probabilistic over a 10–25 year horizon, not immediate. The most actionable step today is address hygiene — no panic selling required.

Which Bitcoin address types are safest against a quantum attack?

Fresh, never-spent P2WPKH or P2TR outputs carry the lowest current risk, because their public key has not yet been broadcast to the chain and cannot be harvested. The highest-risk categories are legacy Pay-to-Public-Key (P2PK) outputs — on the order of 1.7 million BTC across roughly 20,000 addresses — and any address that has a prior spend but still holds a balance, since spending publishes the public key . A strict no-reuse policy is the most effective defense available today .

What is 'harvest now, decrypt later' and why does it change the migration urgency?

"Harvest now, decrypt later" means exposed public keys already sitting on the public blockchain can be copied and stored by any actor today at zero cost, then cracked retroactively once a CRQC exists — even if that arrives years from now . The practical consequence is that the effective migration deadline is set by when keys are harvested, not by when the quantum break arrives. That makes moving coins to unexposed addresses earlier materially safer than waiting for hardware headlines.

Why can't the 2.3M at-risk BTC simply be migrated to quantum-safe addresses?

Migration requires signing a transaction with the original private key. For the roughly 2.3 million BTC classified as "irreducibly at risk" — largely Satoshi-era P2PK coins and long-dormant wallets — that key is presumed lost, so no authorized party can move the funds regardless of which protocol upgrades ship . These coins are cryptographically stranded. The remaining roughly 3.7 million exposed BTC are still migratable because their owners can sign a move . The only open question for the stranded coins is the protocol-level governance response.

Does BIP-360 solve Bitcoin's quantum risk?

Only partially. BIP-360 (Pay-to-Merkle-Root, Draft assigned 2024-12-18, v0.12.0) removes the Taproot key-path spend, closing the structural P2TR "long exposure" vulnerability . It does not address operational exposure from address reuse, short-exposure mempool timing attacks, or serve as a complete post-quantum signature standard . It is one layer in a multi-step migration — alongside proposals like BIP-361 and eventual NIST-standard post-quantum signatures — rather than a standalone fix.

Enjoyed this article? Subscribe to get new stories by email whenever they're published.

Subscribe