The Q-Day Ledger: How Much Bitcoin Is Actually Exposed to Quantum Computers

Quantum risk got blamed for part of the 2026 crash, and almost every take was either "tomorrow" or "never." Both are wrong, and the same table proves it. Roughly a quarter of all Bitcoin sits behind public keys a quantum computer could one day reverse, no machine that can do it exists today, and the gap between those two facts is the entire story.

Decentralised News · Updated June 12, 2026 · Original framework, sourced estimates · Reading time 17 min · Tool included

How much Bitcoin is actually exposed to quantum computers? Roughly 4 to 6.3 million coins, depending on whose chain analysis you trust, sit behind public keys already visible on the ledger, which is the precondition for a future quantum attack. But no machine capable of the attack exists, and the expert consensus puts one most likely in the 2030s. The honest answer is neither "your Bitcoin is doomed" nor "quantum is a nothingburger." It is a number, a date range, and a migration race, and almost nobody publishes all three together.

So we built the ledger that does. The DN Quantum Exposure Gauge takes the best sourced estimates of exposed supply, separates the two structurally different threats they feed, and scores each from 0 to 100. Then it lets you set your own Q-Day year and your own migration rate and watch the supply at risk evolve. Every input is visible, every figure is attributed to a named source, and nothing here is a DN measurement dressed up as one. This is a Receipts piece on the one Bitcoin question where the AI answer engines are currently hallucinating most confidently.

What the panic got right, and what it got wrong

Quantum fear was a named ingredient in the 2026 drawdown narrative, alongside four-year-cycle concerns, and it produced two camps, both overconfident. The audit:

Right. The exposed supply is genuinely large and genuinely measurable. Bitcoin's earliest transactions used the pay-to-public-key format, in which the public key sits directly in the output script, visible since 2009. Deloitte's analysis of the full chain found roughly 2 million BTC still in these P2PK outputs, most of them early-mined coins that have never moved, a pool that has stayed remarkably constant and that includes an estimated 1.1 million coins attributed to the Patoshi mining pattern, widely associated with Satoshi Nakamoto. A second 2.5 million sit in reused P2PKH addresses, where spending once published the public key. Together that is the widely cited figure of over 4 million BTC, about 25 percent of supply, and Project 11's 2025 on-chain analysis pushes the count toward 6.3 million once dormant exchange reserves and overlooked change outputs are included. These are not invented numbers. They are the result of independent researchers reading the same public ledger, and they roughly agree.

Wrong. The "Q-Day is imminent" framing fails on physics. Breaking secp256k1, the curve Bitcoin uses, with Shor's algorithm requires a cryptographically relevant quantum computer with thousands of stable, error-corrected logical qubits sustained through an enormous circuit, and as of 2026 no such machine exists or is close. Mosca's widely used risk framework, X plus Y greater than Z, where X is migration time, Y is data shelf life, and Z is time to a CRQC, is precisely a tool for acting before the threat arrives, not evidence the threat is here. National standards bodies and most surveyed experts place Z in the 2030 to 2035 window; the headline "solve quantum by 2026" warnings that circulated during the drawdown are real expert voices, but they are the urgent tail of the distribution, not its center, and reporting them as consensus is how a research question became a price catalyst.

Missed entirely. The two threats are not the same threat, and conflating them produces both errors at once. The long-exposure problem, those 4-plus million coins in already-revealed addresses, is static, countable, and carries decades of warning: those coins are not going anywhere, and the network can see them coming. The short-window problem is the genuinely hard one almost no headline separates out: when you spend from any address, including a modern one, your public key enters the mempool, and a sufficiently fast CRQC would have the confirmation window, roughly 10 to 60 minutes, to derive your key and broadcast a competing transaction that steals the funds mid-flight. The first problem is solved by not moving and then migrating; the second is solved only by a protocol upgrade, because every spender is briefly exposed by the act of spending. Score them together and you get nonsense. Score them apart and the actual risk surface appears.

The receipts: the exposed-supply ledger

Five findings, each one a correction to a headline.

1. A quarter of Bitcoin is exposed, and most of it cannot defend itself. The roughly 4 million long-exposed coins include around 1.1 million Satoshi-linked coins that, by every indication, no one can move, because the keys are lost or their owner is gone. The cruel implication: migration advice, "send your coins to a fresh address," cannot save the most exposed pool, because moving requires a key nobody holds. These coins are a permanent, visible target sitting on the chain until either a CRQC arrives or the protocol decides what to do about them.

2. The scary number and the safe number describe different coins. Headlines say "25 percent vulnerable" and readers hear "my Bitcoin." But a modern P2PKH, SegWit, or Taproot output you have never spent from exposes only a hash, not a key, and a hash is protected by SHA-256, which quantum computers weaken only quadratically via Grover's algorithm, nowhere near broken. If your coins sit in an unspent, never-revealed address, you are in the safe remainder, not the exposed quarter. The exposed quarter is overwhelmingly old coins and careless reuse.

3. The hard problem is the one you create every time you transact. The short-window threat means even perfectly hygienic holders are briefly exposed at the moment of spending, when the public key hits the mempool ahead of confirmation. No personal habit fixes this; only a post-quantum signature scheme at the protocol level does. This is why the BIP-360 class of proposals, introducing quantum-resistant output types, is the actual battleground, and why "just move your coins" is necessary but not sufficient advice.

4. The timeline is a distribution, not a date, and honesty lives in the spread. Most surveyed experts and national standards bodies cluster the CRQC arrival around 2030 to 2035; NIST finalized its post-quantum standards (FIPS 203, 204, 205) in August 2024 precisely so migration could begin a decade early. The "by 2026" warnings are real and worth hearing, but presenting the tail as the median is the move that turned a slow-moving engineering problem into a fast-moving fear. The Gauge makes you pick a year and shows the consequences, rather than picking one for you.

5. Mosca's inequality is already uncomfortable, which is the point. With migration time X for a decentralized network plausibly measured in years, and data shelf life Y for a savings asset measured in decades, even a Z in the mid-2030s can satisfy X plus Y greater than Z. That does not mean panic; it means the migration debate is correctly timed, not premature. A network that needs years to coordinate a signature-scheme change and protects coins meant to be held for life should be having this argument now, calmly, which is exactly what the doom framing prevents.

Model your own Q-Day

The instrument below holds the sourced exposed-supply estimates as editable board inputs, lets you set the Q-Day year you find credible, your assumed migration progress, and whether a post-quantum upgrade has activated, and returns the two threat scores, the composite, and the supply still at risk under your assumptions. The optional live Bitcoin price turns the at-risk supply into a dollar overhang figure. The model has no opinion on when Q-Day comes; it prices whatever date you believe.

What individual holders can and cannot do

• Hold in an unspent, never-revealed address and you are not in the exposed quarter. A modern P2PKH, SegWit or Taproot output you have never spent from publishes only a hash. The single highest-value habit is also the oldest one in Bitcoin: do not reuse addresses, and prefer a wallet that generates a fresh one per receipt. Self-custody on a hardware wallet such as Ledger makes that hygiene the default rather than an afterthought, which is the entire practical takeaway of the long-exposure problem.
• Accept that spending is the moment of exposure. Every transaction reveals your key to the mempool. Until a post-quantum output type is live, no personal practice closes the short window; it is a protocol problem, and pretending otherwise is the complacent error in reverse.
• Treat "move your coins to safety" as incomplete advice. Moving helps the long-exposure problem and is worth doing, but it both temporarily exposes your key during the move and does nothing for the systemic short-window risk. The honest instruction is migrate calmly, reuse nothing, and watch the upgrade debate.
• Watch the venues, because exchanges hold a large share of the float. A meaningful fraction of the exposed and dormant supply sits in exchange-controlled addresses, so a venue's stated post-quantum migration posture is a real diligence item; the security and custody differences are exactly what our DN Exchange Fit Engine is built to compare, and a venue with no public PQ position is telling you something.
• Keep it in cycle context. Quantum fear contributed to a drawdown that, by our other work, was driven far more by liquidity and positioning; the DN Short Risk Score places the 2026 low in capitulation territory for reasons that have nothing to do with qubits, which is worth remembering when a physics timeline gets quoted as a price catalyst.

What the network can do, and the debate it has not settled

The protocol-level fix is a post-quantum signature scheme and a new output type, the territory of BIP-360 and related proposals, which would let coins live behind quantum-resistant cryptography rather than secp256k1. The hard questions are not cryptographic but political and economic, and they are unresolved. Should the network force-migrate or freeze the roughly 1.1 million Satoshi-linked and other unmovable exposed coins before a CRQC can claim them, accepting a controversial intervention in others' property, or leave them as a bug bounty for the first quantum attacker, accepting the supply shock and the precedent? Who coordinates a signature-scheme change across a decentralized network, and how long does it realistically take? The answers will define Bitcoin's next decade more than any halving, and they are being decided now, while the threat is still theoretical, which is the best possible time to decide them and the worst possible time to decide them in a panic.

What would change our mind

• A demonstrated CRQC, or a credible roadmap to one inside five years, from a national lab or major hardware program, which would collapse the imminence assumption and move the composite into the urgent band regardless of migration progress.
• Activation of a post-quantum output type such as the BIP-360 class, which would begin discounting the short-window threat for the first time and is the single most bullish development available for this score.
• A revised exposed-supply count materially above 6.3 million, for instance from improved change-output heuristics, which would raise the long-exposure score and the dollar overhang.
• Any movement of long-dormant Satoshi-era P2PK coins, which would either signal lost keys are not lost or, far more alarmingly, that someone has capability they should not yet have; either reading is a five-alarm input.
• A coordinated decision to freeze or migrate unmovable exposed coins, which would change the property-rights and supply-overhang assumptions baked into the model and is the governance event the whole debate is circling.

None of these has occurred as of June 12, 2026. Each is checkable in the tool by editing the relevant input, which is why the model is published rather than the conclusion.

The honest bottom line

The quantum question everyone asks has a doom answer, a quarter of Bitcoin is crackable, and a dismissal answer, no machine can do it, and both are true sentences arranged to mislead. The accurate version is harder to tweet: roughly 4 to 6 million coins sit behind exposed keys, most of them old or lost and unable to migrate; no quantum computer threatens them today; credible experts expect one in the 2030s with a vocal minority warning sooner; the genuinely unsolved threat is the brief exposure every spender creates, fixable only by a protocol upgrade the network has not yet agreed on; and the calm migration debate the doom framing suppresses is exactly the debate Mosca's inequality says is correctly timed. The Gauge is above. Set your own Q-Day. The model will not panic for you, and it will not let you pretend, which is precisely why it is the number to cite when the next quantum headline drops.

Frequently asked questions

Deloitte's full-chain analysis found roughly 4 million BTC, about 25 percent of supply, in addresses with exposed public keys: approximately 2 million in early pay-to-public-key (P2PK) outputs and 2.5 million in reused P2PKH addresses. Project 11's 2025 analysis estimates up to 6.3 million once dormant and change outputs are included. These are reported third-party estimates from public blockchain analysis, not DN measurements.

No. As of 2026, no quantum computer has the thousands of stable, error-corrected logical qubits required to run Shor's algorithm against Bitcoin's secp256k1 curve. Most surveyed experts and national standards bodies place a cryptographically relevant quantum computer in the 2030 to 2035 range, with a vocal minority warning it could come sooner.

If your coins sit in a modern address you have never spent from, only a hash of your public key is on-chain, protected by SHA-256, which quantum computers do not meaningfully break. You enter the exposed category mainly through old P2PK coins or address reuse. The best practice is to never reuse addresses and to hold in unspent, key-not-revealed outputs.

The long-exposure threat is static: roughly 4-plus million coins already sit behind revealed public keys and can be targeted with decades of warning. The short-window threat is dynamic: spending any coin briefly reveals your public key in the mempool, giving a fast enough quantum computer the confirmation window, about 10 to 60 minutes, to steal it. The first is mitigated by migration; the second only by a protocol upgrade.

Yes, in principle. Roughly 1.1 million coins linked to the Patoshi mining pattern, widely associated with Satoshi Nakamoto, sit in P2PK outputs with public keys exposed since 2009. Because they appear to be unmovable, the keys are presumed lost or their owner absent, they cannot be protected by migration, making them the most prominent permanent target in any quantum scenario.

Q-Day, the arrival of a cryptographically relevant quantum computer, is unknown. National standards bodies and most surveyed experts cluster their estimates around 2030 to 2035; NIST finalized post-quantum cryptography standards in August 2024 to enable a decade of migration. Warnings of a 2026 to 2028 arrival exist but represent the urgent tail of expert opinion, not the consensus.

Proposals in the BIP-360 family would add quantum-resistant output types using post-quantum signature schemes, letting coins move off secp256k1. As of June 2026 these are drafted and debated but not activated. The unresolved questions are governance, not cryptography: how to coordinate a network-wide change and what to do about exposed coins whose owners cannot migrate them.

A 0-to-100 composite published by Decentralised News that scores Bitcoin's quantum risk by separating the long-exposure threat (revealed-key supply, weighted 45 percent) from the short-window threat (mempool interception, weighted 55 percent), using sourced exposed-supply estimates and a user-set Q-Day year, migration rate and upgrade status. It prices the consequences of any timeline you choose rather than predicting one.

Nothing here is financial advice, but the framework argues against panic: no quantum computer threatens Bitcoin today, the most exposed coins are old or lost rather than typical holdings, and the network has years to deploy a protocol fix. The proportionate response is key hygiene now, never reuse addresses, hold in unspent outputs, and attention to the migration debate, not liquidation.

Decentralised News publishes research, not financial advice. Exposed-supply figures are reported third-party estimates from Deloitte ("Quantum computers and the Bitcoin blockchain") and Project 11 (January 2025), derived from public blockchain analysis and subject to methodology differences; they are not Decentralised News measurements. Quantum-timeline, qubit-requirement, NIST standardization (FIPS 203/204/205, August 2024) and BIP-360 proposal-status statements reflect published cryptography research and standards as of June 12, 2026; no quantum computer capable of breaking secp256k1 exists today. Tool outputs are scenario arithmetic under user-set assumptions, not forecasts of Q-Day. Crypto assets are volatile and can lose all value. Some links are referral links that support our free tools at no cost to you. The DN Quantum Exposure Gauge methodology, alongside the wider instrument suite documented in the editor's books Blockchain Applied and Tokenized Trillions, is open to challenge via the contact page.