Bitcoin quantum exposure

Total BTC currently held at addresses whose pubkey has been revealed on-chain. This is the supply that a sufficiently powerful quantum attacker could steal by inverting ECDSA/Schnorr signatures. Updated weekly from a full UTXO-set walk joined against our revealed_addresses registry.

On this page

Summary
The breakdown
Balance distribution
Concentration
Aged exposure
Weekly change
History
Threat model
Why our number is honest
Methodology

BTC at risk

5,071,264

~25.3% of 20,041,254 BTC circulating

Always-exposed

1,063,006

P2PK + bare multisig + P2TR; pubkey is the output script

Reuse-exposed

4,008,258

P2PKH/P2WPKH/P2SH/P2WSH where a prior spend revealed the pubkey

Snapshot date: 2026-06-07 at block 952,694. Updates every Sunday at 06:00 UTC from the weekly UTXO walk.

Baseline 2026 Q2 · quarterly PDF report

Cobranded with LearnBitcoin. Snapshot block 952,694, 2026-06-07. Methodology version v1.0.

Open PDF →

New to this? Read the plain-English explainer first.

This page is the live-data view for advanced readers. Read our companion rabbit hole on LearnBitcoin.com for the layman's walkthrough of quantum computing and Bitcoin: what it actually threatens, why P2PK and P2TR are exposed by design, and what you can do today.

Quantum and Bitcoin (LearnBitcoin rabbit hole) →

The breakdown

Six buckets, ordered by BTC at risk. Where the BTC lives on the left (each wedge is that script type's share of the at-risk BTC). Where the addresses are on the right (each wedge is that script type's share of the at-risk address count). When the same script type makes a big slice in one wheel but a sliver in the other, concentration is at work.

Where the BTC lives

Where the addresses are

Same numbers, as horizontal stacked bars:

BTC

addrs

P2WPKH reuse-exposed

P2PKH reuse-exposed

P2PK always-exposed

P2WSH reuse-exposed

P2SH reuse-exposed

P2TR always-exposed

The largest single bucket is not Satoshi. 1,896,840 BTC is currently held at P2WPKH addresses that have been reused at least once. That is 37.4% of the at-risk pool, the editorial pivot of the entire dataset. Reuse-exposed legacy and segwit hashed types together dwarf the ancient P2PK supply: this is users today, not a museum piece.

Every new taproot output is exposed at creation time, by design. P2TR (BIP-341) uses the x-only tweaked pubkey directly as the bech32m address. There is no hash layer in front. Every new P2TR output adds to always-exposed supply the moment it lands on chain. Coins leave that pool only when they're spent to a non-always-exposed script type.

P2PK: tiny by entries, huge by BTC. 22,223 addresses (0.17% of at-risk) hold 853,246 BTC: 16.8% of at-risk supply. Average ≈38 BTC per address; ≈896× P2TR's average in the same always-exposed category, and ≈97× the pool-wide average.

Raw figures by script type

Script type	Exposure	Addresses	BTC at risk	% of at-risk
`witness_v0_keyhash`	reuse	3,534,421	1,896,840.38	37.40%
`pubkeyhash`	reuse	3,927,012	1,196,717.12	23.60%
`pubkey`	always	22,223	853,246.50	16.83%
`witness_v0_scripthash`	reuse	88,940	675,991.52	13.33%
`scripthash`	reuse	279,102	238,709.23	4.71%
`witness_v1_taproot`	always	4,897,349	209,759.13	4.14%

Balance distribution

At-risk addresses grouped by current balance. BTC share runs leftward from the bucket label; address-count share runs rightward; both at the same 0-100% scale. The crossover row (highlighted) is where the two are balanced: above it addresses dominate, below it BTC dominates.

Of the 12,749,047 at-risk addresses, 277,394 currently hold exactly 1 satoshi, 2,694,209 hold under 1,000 sats, and 11,484,229 hold under 1M sats. Dust dominates by count; whales dominate by value.

Share of BTC

bucket

Share of addresses

0.00%

exactly 1 sat

2.18%

0.00%

2 sat – 1k sat

18.96%

0.00%

1k sat – 10k sat

31.42%

0.02%

10k sat – 100k sat

25.17%

0.11%

100k sat – 0.01 BTC

12.36%

0.54%

0.01 BTC – 0.1 BTC

6.23%

2.14%

0.1 BTC – 1 BTC

2.76%

4.43%

1 BTC – 10 BTC

0.67%

23.26%

10 BTC – 100 BTC

0.23%

19.68%

100 BTC – 1,000 BTC

0.03%

20.36%

1,000 BTC – 10,000 BTC

0.00%

29.47%

≥ 10,000 BTC

0.00%

Concentration curve

How concentrated the at-risk pool is, plotted as a Lorenz curve. X-axis is the cumulative share of addresses (sorted smallest balance to largest); Y-axis is the cumulative share of at-risk BTC. The dashed diagonal is perfect equality (every address holds the same). The further the curve bows toward the bottom-right corner, the more concentrated the holdings. The Gini coefficient summarises the bow in one number, from 0 (equal) to 1 (one address holds everything).

Gini coefficient = 0.997. Concentration is severe: the bottom 90% of at-risk addresses hold only 0.13% of at-risk BTC, and the top 0.03% of addresses hold 69.7% of BTC. A perfectly equal distribution would have Gini 0; a single-address monopoly would have Gini 1.

Aged exposure

Of the currently at-risk supply, how long has each address been exposed? Age = base block height minus first-reveal block height (the moment the address's pubkey first hit the chain). The 5+ year bucket is dominated by Satoshi-era P2PK and ancient address-reuse stragglers: coins that have been forensically reachable for the entire modern history of the network.

1,822,794 BTC has been quantum-exposed for 5+ years (35.9% of currently at-risk supply).

Age bucket	Always-exposed (BTC)	Reuse-exposed (BTC)	Total BTC	% of at-risk
5+ years	853,246.33	969,547.95	1,822,794.28	35.94%
1–5 years	80,153.87	1,814,927.87	1,895,081.74	37.37%
30 days – 1 year	111,611.61	1,170,783.98	1,282,395.59	25.29%
< 30 days	17,993.82	52,998.45	70,992.27	1.40%

Weekly change since 2026-05-31

Week-over-week change, updated every Sunday.

Total Δ

+27,601.43 BTC

from 5,043,662 BTC

Always-exposed Δ

+4,744.67 BTC

P2PK + bare multisig + P2TR

Reuse-exposed Δ

+22,856.76 BTC

hashed types where a prior spend revealed the pubkey

Quantum exposure over time

Stacked weekly snapshots. Always-exposed is the floor (largely Satoshi-era P2PK that hasn't moved + the growing taproot supply); reuse-exposed sits on top and tracks address reuse across active addresses. The full series accumulates as Sunday walks complete.

What's actually at risk

A quantum computer with enough qubit-stability to run Shor's algorithm against secp256k1 could derive a private key from any publicly-visible pubkey. Bitcoin's hash-based address types (P2PKH, P2WPKH, P2SH, P2WSH) protect the pubkey behind a SHA256 + RIPEMD160 hash until you spend. Once you do, the pubkey is permanently in the witness data for anyone to harvest, and every subsequent UTXO at the same address is just as exposed as the moment of first spend.

P2PK and bare-multisig outputs (mostly pre-2013 coinbase and ancient fund-flows) carry the pubkey directly in the output script; they were always exposed. P2TR (taproot) outputs use the x-only pubkey as the address by design, also always exposed. Address reuse on hashed types is the largest single contributor; the Satoshi-era P2PK supply is the most symbolically significant.

Why our number is honest

Three measurements triangulate Bitcoin's quantum-exposed supply. BIP-361 (Lopp et al.) reports over 34% as of March 2026 from an analytic count. Wicked Smart Bitcoin independently confirms this empirically at 34.55% (block 951,000, conservative on-chain parsing). We come in at 25.3% because we apply STRICT redeem-script parsing on P2SH and P2WSH spends: an address gets marked exposed only when the actually-revealed redeem script contains a pubkey push followed by OP_CHECKSIG/OP_CHECKSIGVERIFY, or contains OP_CHECKMULTISIG/OP_CHECKMULTISIGVERIFY. Timelock-only redeem scripts (OP_CHECKLOCKTIMEVERIFY OP_DROP OP_TRUE), hash-preimage scripts, and OP_RETURN-shaped wrappers don't leak pubkeys on spend and are correctly excluded.

The two on-chain measurements bound the truth. Wicked's conservative figure traces BIP-361's analytic upper bound: every P2SH/P2WSH address whose redeem script was ever revealed counts as exposed. Our strict figure is the rigorous lower bound: only redeems containing a pubkey-bearing opcode count. The ~9.2-point gap is the universe of P2SH/P2WSH spends whose revealed scripts do not contain a pubkey-bearing opcode: timelock-only redeems, hash-preimage shapes, OP_RETURN-style wrappers, and other puzzle scripts. Real exposure sits between the two values; both numbers are true under their respective parsing rules.

Methodology

Source: our own bitcoind full node, queried via getblock verbosity 3 (returns each input's prevout, scriptPubKey, and witness inline).
Registry: a chronological chain walk builds a master revealed_addresses set keyed on address. Every input and every output in every block is inspected.
Exposure rules (mirrors BIP-361 threat enumeration):
- P2PK / bare multisig / P2TR: always exposed at output-create time.
- P2PKH / P2WPKH: reuse-exposed on first spend (witness contains <sig> <pubkey>).
- P2SH / P2WSH: reuse-exposed on first spend iff the revealed redeem script contains a pubkey + CHECKSIG-family opcode.
Aggregate: weekly UTXO-set walk via dumptxoutset; each UTXO's value is summed into its exposure slice if the address appears in revealed_addresses.
Companion measurement: Wicked Smart Bitcoin publishes an independent on-chain dashboard using BIP-361's conservative parsing rules; their figure tracks the upper bound, ours tracks the rigorous lower bound. The gap is the universe of P2SH/P2WSH spends whose revealed redeem scripts do not contain a pubkey-bearing opcode.
References: BIP-361 (Lopp et al.), P2PKH on bitcoin.it, our top exposed addresses by current balance.
Further reading: Quantum and Bitcoin, the rabbit hole on LearnBitcoin.com.

← back to all reports