Blockchain data firm Glassnode released a research report on May 22 confirming that in Bitcoin’s circulating supply there are 6.04 million publicly exposed public keys (over $469 billion in marketcap). In theory, if a sufficiently powerful quantum computer emerges, it could use the Shor algorithm to derive private keys from known public keys, putting the related holdings at risk of being stolen; the remaining 13.99 million BTC have not shown public key exposure.
Two types of technical exposure: structural (1.92 million) vs operational (4.12 million)
Glassnode’s report clearly divides the 6.04 million BTC with public key exposure risk into two distinct sources:
Structural exposure (1.92 million BTC, 9.6%) is characterized by the fact that the design of the relevant script format itself determines that the public key must be exposed. This includes: outputs in the Pay-to-Public-Key (P2PK) format used in Bitcoin’s early days (which contain early mined outputs associated with Satoshi Nakamoto’s anonymous creator), traditional legacy multisignature (legacy multisig) structures, and some Taproot outputs. A significant portion of the Bitcoin in this category is actually not possible to voluntarily move—lost wallets or long-dormant holdings cannot proactively be transferred to a safer address format.
Operational exposure (4.12 million BTC, 20.6%) is not caused by the Bitcoin itself being exposed due to the script format, but rather by address reuse behavior: as the public key is broadcast on-chain during the spending process, the remaining balance becomes exposed. This is a larger-scale and more practically actionable risk category, because address hygiene practices (avoiding address reuse) can technically prevent this type of exposure.
Confirmed exchange and sovereign custody exposure proportions
Based on the confirmed data in the Glassnode report, exposure proportions differ significantly across different types of holders:
Binance: About 85% of the marked balances are in a quantum risk exposure state
Bitfinex: 100% of the marked balances are in an exposure state
Coinbase: Only about 5% of the marked balances are in an exposure state, mainly concentrated in non-risk-exposed structures
United States, United Kingdom, El Salvador (sovereign holdings): Quantum risk exposure is zero
Glassnode specifically states in the report that these data reflect the design choices of custody solutions and wallet management practices across each platform. They should not be interpreted as any specific company’s risk ranking or as an assessment of solvency capability, nor as an indicator of an imminent security crisis.
Confirmed anti-quantum discussions at the Bitcoin protocol layer
Bitcoin’s developer community is currently discussing two protocol-layer anti-quantum response proposals: the BIP-360 proposal aims to introduce a more quantum-resistant transaction format, allowing users to migrate to a new address type that uses post-quantum cryptography algorithms; another proposal suggests setting a migration deadline and launching a freezing mechanism for any Bitcoin that has not completed migration by the specified deadline (this proposal is still under discussion and there is no confirmed timeline for advancement yet).
Regarding the technical threshold for breaking Bitcoin encryption with quantum computers (“Q Day”), estimates by quantum security companies such as Project Eleven cluster around 2030 to 2032, with some estimates even later. On May 22, 2026 (Thursday), the U.S. government announced it would invest over $2 billion in quantum startups and planned contract manufacturing facilities to drive the development of domestic quantum industry.
Frequently asked questions
How does the Shor algorithm threaten Bitcoin private key security, and how powerful does a quantum computer need to be to break it?
The Shor algorithm is a quantum algorithm that theoretically can complete integer factorization and discrete logarithm problems in polynomial time. The security of the elliptic curve digital signature algorithm (ECDSA) used by Bitcoin is precisely based on the computational difficulty of elliptic curve discrete logarithm problems. If a quantum computer has a sufficient number of logical qubits (current research estimates require millions of fault-tolerant qubits), it could derive the corresponding private key from the public key publicly known on-chain. The number of qubits in existing quantum computers is still far below this threshold. Institutions such as Project Eleven estimate that this technical threshold will arrive no earlier than 2030, with most estimates placing it in 2032 or later.
How can individual Bitcoin holders reduce quantum risk exposure?
Glassnode’s report confirms that individual users can reduce operational exposure risk in the following ways: use a new address for each transaction (avoid address reuse); choose wallet management approaches that do not reuse UTXOs; move away from historical addresses known to have exposed public keys. Migrating structural exposure (such as P2PK formats) requires users to proactively initiate a transaction, but lost-key wallets or long-dormant holdings cannot, in practice, complete voluntary migration.
Does Bitfinex’s 100% exposure mean its users’ funds face immediate risk?
Glassnode states explicitly in the report that the above data “reflect custody solution design choices, not imminent risk,” and emphasizes that it should not be interpreted as a risk ranking for any institution or a signal of solvency ability. A 100% exposure proportion means Bitfinex’s wallet management practices make all public keys in its marked balances visible on-chain, but only after a cryptographically meaningful quantum computer is actually put into use (currently estimated no earlier than 2030) does this exposure become a real, usable security risk.
