Bitcoin quantum exposure

Total BTC currently held at addresses whose pubkey has been revealed on-chain. This is the supply that a sufficiently powerful quantum attacker could steal by inverting ECDSA/Schnorr signatures. Updated weekly from a full UTXO-set walk joined against our revealed_addresses registry.

On this page
  1. Summary
  2. The breakdown
  3. Balance distribution
  4. Concentration
  5. Redeem-shape breakdown
  6. Aged exposure
  7. Weekly change
  8. History
  9. Threat model
  10. Why our number is honest
  11. Methodology
BTC at risk
7,013,654
~35.0% of 20,050,661 BTC circulating
Always-exposed
1,927,996
P2PK + bare multisig + P2TR; pubkey is the output script
Reuse-exposed
5,085,658
P2PKH/P2WPKH/P2SH/P2WSH where a prior spend revealed the pubkey
Snapshot date: 2026-06-28 at block 955,767. Updates every Sunday at 06:00 UTC from the weekly UTXO walk.
Baseline 2026 Q2 · quarterly PDF report
Cobranded with LearnBitcoin. Methodology version v1.0 (25.2% of supply). The live figures on this page reflect the v1.1 correction below; the PDF is preserved as the original v1.0 record.
Open PDF →
Methodology v1.1 correction (2026-06-15). After the Baseline 2026 Q2 PDF was published, we identified roughly 1.04M BTC of nested-segwit reuse (P2SH-wrapped P2WPKH and P2WSH) that the v1.0 walker had skipped: for those spends the pubkey is revealed in the witness, not in the scriptSig redeem the v1.0 parser inspected. Folding it in moved the strict figure from 25.2% to ~30.5% of supply. The PDF remains the v1.0 record of record; the v1.2 correction below carries it the rest of the way.
Methodology v1.2 correction (2026-06-23). We were undercounting old uncompressed-key P2PK by about half. Those outputs (almost all Satoshi-era coinbase that has never moved) are matched internally by a key built from the pubkey's X-coordinate plus a Y-parity bit, and two stages of our pipeline computed that bit differently, so about half the coins silently failed to join. The fix moves P2PK from ~0.85M to ~1.72M BTC and the headline from ~30.5% to 35.0% of supply. We found it by diffing against Wicked Smart Bitcoin's open-source count; credit to him for closing the gap.
New to this? Read the plain-English explainer first.
This page is the live-data view for advanced readers. Read our companion rabbit hole on LearnBitcoin.com for the layman's walkthrough of quantum computing and Bitcoin: what it actually threatens, why P2PK and P2TR are exposed by design, and what you can do today.
Quantum and Bitcoin (LearnBitcoin rabbit hole) →

The breakdown

Six buckets, ordered by BTC at risk. Where the BTC lives on the left (each wedge is that script type's share of the at-risk BTC). Where the addresses are on the right (each wedge is that script type's share of the at-risk address count). When the same script type makes a big slice in one wheel but a sliver in the other, concentration is at work.

Where the BTC lives
P2WPKH reuse-exposed: 1,910,302 BTC (27.2% of BTC) · 3,578,838 addresses (26.1% of addresses) P2PK always-exposed: 1,716,077 BTC (24.5% of BTC) · 39,478 addresses (0.3% of addresses) P2SH reuse-exposed: 1,297,276 BTC (18.5% of BTC) · 1,144,572 addresses (8.4% of addresses) P2PKH reuse-exposed: 1,191,695 BTC (17.0% of BTC) · 3,915,180 addresses (28.6% of addresses) P2WSH reuse-exposed: 686,385 BTC (9.8% of BTC) · 88,648 addresses (0.6% of addresses) P2TR always-exposed: 211,919 BTC (3.0% of BTC) · 4,933,860 addresses (36.0% of addresses) 7,013,654 BTC at risk
Where the addresses are
P2WPKH reuse-exposed: 1,910,302 BTC (27.2% of BTC) · 3,578,838 addresses (26.1% of addresses) P2PK always-exposed: 1,716,077 BTC (24.5% of BTC) · 39,478 addresses (0.3% of addresses) P2SH reuse-exposed: 1,297,276 BTC (18.5% of BTC) · 1,144,572 addresses (8.4% of addresses) P2PKH reuse-exposed: 1,191,695 BTC (17.0% of BTC) · 3,915,180 addresses (28.6% of addresses) P2WSH reuse-exposed: 686,385 BTC (9.8% of BTC) · 88,648 addresses (0.6% of addresses) P2TR always-exposed: 211,919 BTC (3.0% of BTC) · 4,933,860 addresses (36.0% of addresses) 13,700,576 at-risk addresses

Same numbers, as horizontal stacked bars:

BTC
addrs
P2WPKH reuse-exposed
P2PK always-exposed
P2SH reuse-exposed
P2PKH reuse-exposed
P2WSH reuse-exposed
P2TR always-exposed
The largest single bucket is not Satoshi. 1,910,302 BTC is currently held at P2WPKH addresses that have been reused at least once. That is 27.2% of the at-risk pool, the editorial pivot of the entire dataset. Reuse-exposed legacy and segwit hashed types together dwarf the ancient P2PK supply: this is users today, not a museum piece.
Every new taproot output is exposed at creation time, by design. P2TR (BIP-341) uses the x-only tweaked pubkey directly as the bech32m address. There is no hash layer in front. Every new P2TR output adds to always-exposed supply the moment it lands on chain. Coins leave that pool only when they're spent to a non-always-exposed script type.
P2PK: tiny by entries, huge by BTC. 39,478 addresses (0.29% of at-risk) hold 1,716,077 BTC: 24.5% of at-risk supply. Average ≈43 BTC per address; ≈1,012× P2TR's average in the same always-exposed category, and ≈85× the pool-wide average.

Raw figures by script type

Script type Exposure Addresses BTC at risk % of at-risk Share
witness_v0_keyhash reuse 3,578,838 1,910,301.77 27.24%
pubkey always 39,478 1,716,077.37 24.47%
scripthash reuse 1,144,572 1,297,276.27 18.50%
pubkeyhash reuse 3,915,180 1,191,694.65 16.99%
witness_v0_scripthash reuse 88,648 686,385.40 9.79%
witness_v1_taproot always 4,933,860 211,918.95 3.02%

Balance distribution

At-risk addresses grouped by current balance. BTC share runs leftward from the bucket label; address-count share runs rightward; both at the same 0-100% scale. The crossover row (highlighted) is where the two are balanced: above it addresses dominate, below it BTC dominates.

Of the 13,700,576 at-risk addresses, 277,623 currently hold exactly 1 satoshi, 2,828,213 hold under 1,000 sats, and 12,301,860 hold under 1M sats. Dust dominates by count; whales dominate by value.

Share of BTC
bucket
Share of addresses
0.00%
exactly 1 sat
2.03%
0.00%
2 sat – 1k sat
18.62%
0.00%
1k sat – 10k sat
31.49%
0.02%
10k sat – 100k sat
25.37%
0.08%
100k sat – 0.01 BTC
12.29%
0.42%
0.01 BTC – 0.1 BTC
6.25%
1.72%
0.1 BTC – 1 BTC
2.85%
3.73%
1 BTC – 10 BTC
0.72%
29.95%
10 BTC – 100 BTC
0.36%
15.64%
100 BTC – 1,000 BTC
0.03%
18.40%
1,000 BTC – 10,000 BTC
0.00%
30.03%
≥ 10,000 BTC
0.00%

Concentration curve

How concentrated the at-risk pool is, plotted as a Lorenz curve. X-axis is the cumulative share of addresses (sorted smallest balance to largest); Y-axis is the cumulative share of at-risk BTC. The dashed diagonal is perfect equality (every address holds the same). The further the curve bows toward the bottom-right corner, the more concentrated the holdings. The Gini coefficient summarises the bow in one number, from 0 (equal) to 1 (one address holds everything).

Top 0.03% of addresses hold 63.9% of BTC Bottom 90% of addresses hold just 0.11% of BTC 0% 25% 50% 75% 100% 0% 25% 50% 75% 100% x: cumulative share of addresses · y: cumulative share of at-risk BTC
Gini coefficient = 0.997. Concentration is severe: the bottom 90% of at-risk addresses hold only 0.11% of at-risk BTC, and the top 0.03% of addresses hold 63.9% of BTC. A perfectly equal distribution would have Gini 0; a single-address monopoly would have Gini 1.

Redeem-shape breakdown

What shape are the P2SH/P2WSH redeem scripts behind the at-risk supply? Only pubkey-bearing shapes are quantum-exposed; the rest (timelock-only, hash-preimage, OP_RETURN-shaped) are what separate our strict count from the conservative one. Current held balance by shape:

Script typeRedeem shape AddressesBTC heldPubkey?
p2sh_p2wpkh nested P2WPKH 757,532 897,250.70 exposed
witness_v0_scripthash multisig 86,798 684,284.25 exposed
scripthash multisig 278,138 244,259.83 exposed
p2sh_p2wsh multisig 110,288 155,574.13 exposed
scripthash single-key CHECKSIG 1,104 2,491.35 exposed
witness_v0_scripthash pubkey + timelock 577 2,087.78 exposed
p2sh_p2wsh pubkey + timelock 1,402 375.74 exposed
scripthash hash-preimage only 563 54.29 safe
witness_v0_scripthash pubkey + hashlock 1,196 12.28 exposed
witness_v0_scripthash timelock only 646 1.34 safe
witness_v0_scripthash hash-preimage only 236 1.28 safe
witness_v0_scripthash single-key CHECKSIG 77 1.09 exposed
p2sh_p2wsh hash-preimage only 1,685 0.34 safe
scripthash pubkey + hashlock 18 0.07 exposed
scripthash pubkey + timelock 248 0.04 exposed

M-of-N multisig by aggregate balance (top 6):

3-of-5 477,760 BTC
2-of-3 348,231 BTC
2-of-2 114,920 BTC
3-of-6 42,618 BTC
4-of-8 26,984 BTC
3-of-7 16,806 BTC

Full breakdown, every output type, and the complete M-of-N distribution: UTXO repartition dashboard →

Aged exposure

Of the currently at-risk supply, how long has each address been exposed? Age = base block height minus first-reveal block height (the moment the address's pubkey first hit the chain). The 5+ year bucket is dominated by Satoshi-era P2PK and ancient address-reuse stragglers: coins that have been forensically reachable for the entire modern history of the network.

3,228,702 BTC has been quantum-exposed for 5+ years (46.0% of currently at-risk supply).
Age bucket Always-exposed (BTC) Reuse-exposed (BTC) Total BTC % of at-risk Share
5+ years 1,716,076.55 1,512,625.75 3,228,702.30 46.03%
1–5 years 80,183.35 2,232,981.56 2,313,164.91 32.98%
30 days – 1 year 115,379.17 1,272,432.47 1,387,811.63 19.79%
< 30 days 16,357.25 67,618.31 83,975.57 1.20%

Weekly change since 2026-06-21

Week-over-week change, updated every Sunday.

Total Δ
-34,638.97 BTC
from 7,048,293 BTC
Always-exposed Δ
-2,211.56 BTC
P2PK + bare multisig + P2TR
Reuse-exposed Δ
-32,427.41 BTC
hashed types where a prior spend revealed the pubkey

Quantum exposure over time

Stacked weekly snapshots. Always-exposed is the floor (largely Satoshi-era P2PK that hasn't moved + the growing taproot supply); reuse-exposed sits on top and tracks address reuse across active addresses. The full series accumulates as Sunday walks complete.

Why the early curve climbs. The steep rise across the first few weeks reflects us getting detection right, not the chain becoming more exposed. Two corrections landed close together. v1.1 folded in ~1.04M BTC of nested-segwit reuse our first walker had skipped. v1.2 fixed a key-matching bug that was dropping roughly half of the old uncompressed-key P2PK supply, almost all of it Satoshi-era coinbase that has never moved. We caught the second one by diffing our results against Wicked Smart Bitcoin's independently-built count after he open-sourced his pipeline; credit to him for helping us close the last gap. Detection is calibrated now, so from here the line should track the chain itself.

What's actually at risk

A quantum computer with enough qubit-stability to run Shor's algorithm against secp256k1 could derive a private key from any publicly-visible pubkey. Bitcoin's hash-based address types (P2PKH, P2WPKH, P2SH, P2WSH) protect the pubkey behind a SHA256 + RIPEMD160 hash until you spend. Once you do, the pubkey is permanently in the witness data for anyone to harvest, and every subsequent UTXO at the same address is just as exposed as the moment of first spend.

P2PK and bare-multisig outputs (mostly pre-2013 coinbase and ancient fund-flows) carry the pubkey directly in the output script; they were always exposed. P2TR (taproot) outputs use the x-only pubkey as the address by design, also always exposed. Address reuse on hashed types is the largest single contributor; the Satoshi-era P2PK supply is the most symbolically significant.

Why our number is honest

Three measurements triangulate Bitcoin's quantum-exposed supply. BIP-361 (Lopp et al.) reports over 34% as of March 2026 from an analytic count. Wicked Smart Bitcoin independently confirms this empirically at 34.55% (block 951,000, conservative on-chain parsing). We land at 35.0%, a touch above Wicked because we measure at a more recent block height. On P2SH and P2WSH spends we apply STRICT redeem-script parsing: an address gets marked exposed only when the actually-revealed redeem script contains a pubkey push followed by OP_CHECKSIG/OP_CHECKSIGVERIFY, or contains OP_CHECKMULTISIG/OP_CHECKMULTISIGVERIFY. Timelock-only redeem scripts (OP_CHECKLOCKTIMEVERIFY OP_DROP OP_TRUE), hash-preimage scripts, and OP_RETURN-shaped wrappers don't leak pubkeys on spend and are correctly excluded.

On P2SH and P2WSH the two on-chain measurements bound the truth: Wicked's conservative figure counts every revealed redeem script as exposed, while our strict figure counts only those that actually carry a pubkey. Two corrections brought our overall number into line with his. Methodology v1.1 added roughly 1.04M BTC of nested-segwit reuse (P2SH-wrapped P2WPKH and P2WSH), whose pubkey is revealed in the witness rather than in the scriptSig redeem our first parser inspected. Methodology v1.2 fixed a Y-parity key-matching bug that had been dropping about half of our uncompressed-key P2PK; we found it by diffing against Wicked's pipeline after he open-sourced it. The two counts now agree within block-height drift. Our strict P2SH/P2WSH treatment stays a floor by design, and both numbers are true under their respective parsing rules.

Methodology

  • Source: our own bitcoind full node, queried via getblock verbosity 3 (returns each input's prevout, scriptPubKey, and witness inline).
  • Registry: a chronological chain walk builds a master revealed_addresses set keyed on address. Every input and every output in every block is inspected.
  • Exposure rules (mirrors BIP-361 threat enumeration):
    • P2PK / bare multisig / P2TR: always exposed at output-create time.
    • P2PKH / P2WPKH: reuse-exposed on first spend (witness contains <sig> <pubkey>).
    • P2SH / P2WSH: reuse-exposed on first spend iff the revealed redeem script contains a pubkey + CHECKSIG-family opcode.
  • Aggregate: weekly UTXO-set walk via dumptxoutset; each UTXO's value is summed into its exposure slice if the address appears in revealed_addresses.
  • Companion measurement: Wicked Smart Bitcoin publishes an independent on-chain dashboard using BIP-361's conservative parsing rules; their figure tracks the upper bound, ours tracks the rigorous lower bound. The gap is the universe of P2SH/P2WSH spends whose revealed redeem scripts do not contain a pubkey-bearing opcode.
  • References: BIP-361 (Lopp et al.), P2PKH on bitcoin.it, our top exposed addresses by current balance.
  • Further reading: Quantum and Bitcoin, the rabbit hole on LearnBitcoin.com.