Glassnode published a forensic analysis concluding that about 9.6% of Bitcoin’s supply, or roughly 1.92 million BTC, is structurally exposed to potential quantum attacks. The finding separates protocol-level vulnerability from ordinary custody risk, showing that some coins carry exposure because their output formats reveal public keys on-chain.
The report matters because quantum risk is no longer framed only as a distant cryptographic debate. Glassnode’s analysis identifies a concentrated pool of technical liabilities, with implications for custodians, wallet providers and market participants if quantum capabilities advance.
Legacy Output Types Create Structural Exposure
Glassnode classified 1.92 million BTC as “structurally unsafe,” meaning the coins sit in output formats that make public keys visible by design when spent. Those coins remain exposed regardless of owner behavior, because the vulnerability is embedded in the output structure itself.
— glassnode (@glassnode) May 20, 2026
The largest category is Pay-to-Public-Key, or P2PK, with about 1.10 million BTC, equal to roughly 5.5% of supply. Legacy multisig, or P2MS, accounts for another 620,000 BTC, while Pay-to-Taproot spending paths add about 200,000 BTC.
Glassnode also identified a wider pool of coins with public-key visibility, totaling about 30.2% of supply, or roughly 6.04 million BTC. That broader figure includes 4.12 million BTC of operational exposure, where address reuse or weak key management has revealed public keys.
The distinction is important for mitigation planning. Structural exposure requires protocol-aware migration paths, while operational exposure can be reduced through better custody hygiene, address management and wallet practices.
Custodial Practices Concentrate Quantum Risk
Glassnode found large differences in public-key exposure across major custodians. Binance Bitcoin wallets showed roughly 85% public-key exposure, compared with about 5% for Coinbase, underscoring how operational standards can concentrate or reduce systemic risk.
The report warned that exposed public keys could become targets if sufficiently powerful quantum machines emerge. Breaking Bitcoin’s elliptic-curve cryptography would require about 2,330 logical qubits and billions of quantum gates, a capability that remained theoretical at the time of the analysis.
Glassnode recommended proactive migration and cryptographic upgrades, pointing to proposals such as BIP-360’s Pay-to-Merkle-Root as one possible route to reduce structural exposure without a hard fork. The structural category is time-sensitive because those coins are vulnerable by format, not because of future user mistakes.
The immediate market impact was muted because the quantum capability needed to exploit these weaknesses does not yet exist. Even so, the operational consequences are real, particularly for custodians with high exposure and wallet providers responsible for migration tooling.
Bitcoin holdings now look like non-migrated technical liabilities. That risk could amplify market stress if quantum hardware progress accelerates or if credible exploitability disclosures emerge.
The industry response will determine whether the issue remains a managed technical upgrade or becomes an economic shock. Post-quantum spend formats, better custody hygiene and coordinated migration plans will be critical to reducing the exposed pool and preserving long-term market confidence.
