Which Bitcoin addresses are most vulnerable to quantum computing?

Pay-to-Public-Key (P2PK) addresses used in Bitcoin's early years are most vulnerable because the public key is directly exposed on the blockchain. Reused P2PKH addresses where Bitcoin has been spent are also exposed. Modern address types like P2WPKH and P2TR only reveal the public key when spending, providing a layer of protection.

Are my Bitcoin safe from quantum computers?

If your Bitcoin is stored at a modern address type (P2WPKH or P2TR) and you have never spent from that address, your public key is not exposed on the blockchain. This means a quantum attacker would need to crack your address hash first, which requires a different and more difficult quantum attack than breaking the signature scheme.

How much Bitcoin is actually at risk from quantum computing?

Estimates suggest that approximately 4 to 6 million Bitcoin are in addresses with exposed public keys, including Satoshi Nakamoto's estimated 1 million BTC in early P2PK outputs. The majority of actively managed Bitcoin in modern wallet formats has unexposed public keys and faces significantly lower quantum risk.

Which Bitcoin Is Vulnerable to Quantum Computing? Address Types, Exposure Tiers, and What You Can Do

Glenn Cameron | Global Head, Onramp Institutional

Feb 26, 2026

Which Bitcoin Is Vulnerable to Quantum Computing? Address Types, Exposure Tiers, and What You Can Do

Not all Bitcoin faces the same quantum risk. Here is how to think about which coins are most exposed, why it depends on more than just "when quantum arrives," and what you can do about your own holdings today.

Every time a quantum computing headline hits the news cycle, the same panic question surfaces: are my coins safe? The short answer is yes, today they are. No quantum computer exists in 2026 that can threaten any Bitcoin, and most credible estimates place a cryptographically relevant quantum computer (CRQC) at least 10 to 15 years away, with conservative estimates stretching to 20 to 40 years. The gap between current quantum capability (roughly 24 to 28 logical qubits demonstrated) and what would be needed to break Bitcoin's cryptography (approximately 6,000 logical qubits) is multiple orders of magnitude. Nothing in this article describes a risk that exists today.

That said, understanding which Bitcoin would be most exposed if a CRQC eventually arrives is valuable. It informs how you manage your holdings now, what hygiene to practice, and how to think about custody over the next decade or two. The difference between "informed and prepared" and "panicked and reactive" comes down to a single technical detail: whether your public key is visible on the blockchain.

Understanding this distinction is the difference between informed preparation and unnecessary panic.

How Bitcoin's Cryptography Creates the Vulnerability Window

Bitcoin's security model rests on a one-way mathematical relationship. Your wallet generates a private key, derives a public key from it, and uses that public key to create addresses where you receive funds. Under current technology, reversing a public key back into a private key is computationally impossible. It would take longer than the age of the universe on any classical computer.

A sufficiently powerful quantum computer running Shor's algorithm could change that equation. If an attacker has your public key, they could theoretically derive your private key and forge a valid spend authorization.

The critical word is "if." Two things must be true for a quantum attack to succeed. First, the attacker must have access to your public key. Second, they must be able to derive the private key fast enough to act on it. Different Bitcoin address types expose the public key at different times, and that timing difference is what creates the vulnerability tiers.

The Three Tiers of Quantum Exposure

Not all Bitcoin addresses work the same way under the hood. Some reveal your public key the moment you receive funds. Others keep it hidden behind a hash until you spend. This distinction creates a natural hierarchy of quantum risk if and when a CRQC eventually exists. To be clear: none of these tiers represent a current risk. They describe a future exposure ranking that helps holders think about long-term custody hygiene.

Tier A: Public Key Visible on Chain Immediately (Long-Range Targets)

These are the highest-exposure addresses. The public key sits directly on the blockchain from the moment funds are received, giving a future attacker an unlimited window to attempt key derivation.

Pay-to-Public-Key (P2PK) is the original Bitcoin address format, widely used in the earliest years of the network. P2PK outputs embed the full public key directly in the locking script. This includes the estimated 1.1 million BTC attributed to Satoshi Nakamoto, spread across roughly 22,000 separate addresses at about 50 BTC each. The Ark Invest/Unchained report estimates approximately 1.7 million BTC sits in P2PK addresses overall, most of which is likely lost and cannot be migrated.

Pay-to-Multisig (P2MS) or "raw multisig" also exposes public keys directly, though it currently secures relatively little value on the network.

Pay-to-Taproot (P2TR) key-path spends are a more nuanced case. Taproot, activated in 2021, is Bitcoin's most modern address format and offers significant privacy and efficiency benefits. However, P2TR outputs include a tweaked public key in the output, which could be targetable in a CRQC world. Taproot is fully secure against all threats today, but its public key exposure means it belongs in the long-range vulnerability tier for future quantum scenarios. Mitigation paths exist, and BIP-360 specifically addresses this exposure.

Tier B: Public Key Hidden Until Exposed by Holder Behavior

Most modern Bitcoin address types (P2PKH, P2SH, P2WPKH, P2WSH) hide the public key behind a hash until you spend. This means your coins are protected as long as you have only received Bitcoin to that address. The public key is revealed only when you authorize a transaction.

The problem arises from avoidable behaviors that turn these "normally safe" addresses into long-range targets.

Address reuse is the most common issue. When you spend from an address, your public key is revealed in the transaction's unlocking data. If you then receive more Bitcoin to that same address, the new balance sits behind an already-exposed public key. In a CRQC world, that remaining balance becomes a long-range target, just like Tier A.

Fork spending can also create exposure. If you spend duplicated UTXOs on a Bitcoin fork chain, you may reveal the public key tied to the equivalent Bitcoin UTXO, even if you never spent on the Bitcoin chain itself.

Extended public key (xpub) sharing is a subtler risk. Xpubs are commonly shared for watch-only wallet monitoring, payment tracking, and accounting. In a CRQC world, an exposed xpub could cascade into broader exposure depending on the derivation paths used. Today, xpub exposure is a privacy concern. In a post-quantum world, it becomes a security concern.

The key insight for Tier B is that most quantum exposure in this category is preventable through basic hygiene.

Tier C: Public Key Exposed Only When You Spend (Short-Range Risk)

Even if your address hides the public key perfectly, spending reveals it. When you broadcast a transaction, the unlocking data includes your public key, and that transaction sits in the mempool (the network's waiting room for unconfirmed transactions) until a miner includes it in a block.

In a CRQC world, an attacker could theoretically observe your transaction in the mempool, derive your private key from the exposed public key, forge a competing transaction, and race you to confirmation. This is sometimes called a "transaction hijack" or "front-running" attack.

The dividing line is speed. If a CRQC can break a key in days or weeks, Tier A and B coins are the primary concern. If a CRQC can break a key in minutes, even the act of spending from a perfectly managed address becomes risky. This is why Ark Invest's framework distinguishes between Stage 3 (slow key-breaking, only stored coins at risk) and Stage 4 (fast key-breaking, all transactions at risk).

How Much Bitcoin Is Actually at Risk?

Estimates vary across research sources, but the numbers converge on a similar picture:

The Ark Invest/Unchained March 2026 report estimates approximately 35% of Bitcoin's total outstanding supply sits in theoretically vulnerable address types. This breaks down to roughly 1.7 million BTC in P2PK addresses (believed lost, not migratable), about 5.2 million BTC in reused or P2TR addresses (migratable if holders act), and approximately 200,000 BTC in other reused address categories.

A 2025 Chaincode Labs study estimated 6.26 million BTC could be exposed due to reused public keys, valued between $650 billion and $750 billion at the time.

Ledger's Donjon research team estimated roughly 25% of Bitcoin's supply by value has exposed public keys.

The majority of Bitcoin's supply, approximately 65%, is already held in address types where the public key has never been revealed. For these coins, the quantum risk is limited to the short-range Tier C scenario, which requires quantum speeds that are many stages beyond current capability.

The Satoshi Coins Question

Early Bitcoin outputs are frequently cited in quantum discussions because many use the P2PK format, where public keys are directly visible. Satoshi's estimated 1.1 million BTC represents the single largest identifiable concentration of quantum-vulnerable coins.

A detail that often gets lost in the headlines: those coins are spread across roughly 22,000 separate addresses, each protecting about 50 BTC. A quantum attacker would need to break each public key individually. If breaking one key takes an hour, stealing all of Satoshi's coins takes more than three years. If it takes a day, more than 60 years. If a week, more than 400 years.

The image of a single quantum event instantly draining the network is not how the math works. Quantum theft, even if it becomes possible, would be a slow, costly process.

What happens to these coins in a post-quantum world is also a governance question, not just a technical one. Some argue for freezing vulnerable coins after a migration deadline to prevent theft. Others argue that the bearer-asset principle should hold: valid signature wins, and changing that sets a dangerous precedent. This "burn vs. steal" debate is unresolved and will likely become one of the most contentious governance discussions in Bitcoin's history.

What You Can Do Right Now

The quantum threat is not an emergency, but basic hygiene significantly reduces your future exposure.

Do not reuse addresses. This is the single most impactful step. Modern wallets generate new receiving addresses automatically. If yours does not, consider upgrading.

Keep xpubs private. Treat extended public keys as sensitive information, not something to share casually for convenience. In a post-quantum world, xpub exposure could cascade into broader vulnerability.

Use modern wallet defaults. SegWit address types (P2WPKH, P2WSH) offer the strongest current posture by keeping public keys hidden until spend. Taproot offers efficiency and privacy benefits and is secure against all current threats, though its public key exposure is worth monitoring as quantum computing advances.

Do not keep meaningful amounts on exchanges longer than necessary. Exchange custody practices around address management, key rotation, and UTXO handling vary widely and are often opaque.

Think about your custody infrastructure. When migration to quantum-resistant addresses becomes necessary, holders in institutional custody arrangements will have the migration coordinated for them across all key-holding institutions. The custodian manages the key generation, address creation, UTXO migration, and verification process. The holder authorizes the migration but does not need to understand the cryptographic details or manage the operational complexity.

Self-custody and collaborative custody holders will need to manage the process manually across every device and signing location. For a holder running a 2-of-3 multisig across geographically distributed hardware devices, a quantum migration means generating new quantum-resistant keys on each device, creating new addresses, constructing migration transactions, and signing them across the required quorum. This is not impossible, but it is meaningfully more complex than a custodian handling the process, especially if the migration needs to happen across thousands of UTXOs during a period of high fee pressure and network congestion.

Neither approach is wrong, but the operational complexity is different, and understanding that now is better than learning it under pressure.

Understand your UTXOs, not just your total balance. Your quantum exposure is a function of your specific UTXOs, not your aggregate Bitcoin balance. Two holders with the same total BTC could have very different risk profiles depending on which address types their coins sit in, whether public keys have been exposed through spending or address reuse, and how their UTXO set is structured. If you are holding meaningful value, understanding your UTXO composition is worth the effort.

The quantum threat is a reason to be thoughtful about how your Bitcoin is held over the next 10 to 20 years. It is not a reason to panic, sell, or make rushed decisions today.

Understanding how your Bitcoin is stored matters more than ever as the cryptographic landscape evolves. Onramp's multi-institution custody architecture is designed to coordinate key migrations, address-type changes, and UTXO management across three independent institutions, so you do not have to become a cryptographer to keep your Bitcoin secure. Schedule a consultation to learn how the architecture works, or sign up here to get started.

How Bitcoin Can Defend Against Quantum Computing: BIP-360, Post-Quantum Cryptography, and the Road Ahead

Quantum Computing and Bitcoin: Separating Hype From Reality

What Is Bitcoin Custody? A Complete Guide for Long-Term Holders

Bitcoin Custody 101: Self-Custody vs. Third-Party Custody Explained

What Is Bitcoin Multisignature (Multisig)?