A report published July 7 warns that roughly $470 billion worth of Bitcoin is exposed to future quantum attacks, pushing the crypto industry's post-quantum migration from theoretical debate to urgent infrastructure priority.
Bitcoin fell 2.3% to $1,748 on July 7 after a report from CryptoBriefing estimated that approximately $470 billion in Bitcoin — representing about 23% of the network's total market capitalization — sits in addresses whose cryptographic security could be broken by a sufficiently powerful quantum computer. The analysis focused on early P2PK (Pay-to-Public-Key) outputs and reused P2PKH/P2WPKH addresses where full public keys are exposed on-chain, making them vulnerable to Shor's algorithm once a cryptographically relevant quantum computer, or CRQC, becomes operational.
"Storage is cheap, so malicious actors are hoovering up encrypted data by the petabyte and waiting for the day a quantum computer enables them to decrypt it," said Lara Ballard, former special advisor for privacy and technology at the U.S. Department of State and a cyber risk analyst at the Department of Homeland Security, in a contributed piece to the IAPP. "Privacy professionals should care because sensitive PII, including Social Security numbers, will still be sensitive in 2035."
The report arrives as the National Institute of Standards and Technology has already finalized three post-quantum cryptographic standards — FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) — and selected a fourth, HQC, in March 2025. Yet adoption across blockchain networks remains nascent. Bitcoin's elliptic curve digital signature algorithm (ECDSA) and Schnorr signatures, along with Ethereum's BLS signatures and KZG commitments, are all structurally vulnerable to Shor's algorithm, which can derive private keys from publicly exposed public keys.
The $470 Billion Exposure
The $470 billion figure reflects the cumulative value of Bitcoin held in UTXOs with on-chain public key exposure. These include early P2PK outputs from Bitcoin's first years, Taproot (P2TR) outputs, and P2PKH/P2WPKH addresses where keys have been reused across multiple transactions. Once a CRQC reaches sufficient qubit count — current estimates range from 2035 to 2045, with accelerated scenarios as early as 2030 — an attacker could reverse-engineer private keys from these exposed public keys and drain the associated funds without any private key breach.
The threat is compounded by the "harvest now, decrypt later" strategy. Because data storage is cheap, state-level actors and sophisticated criminals are already collecting encrypted blockchain data, waiting for the computational power to unlock it. The Mosca inequality — X + Y > Z, where X is the data's confidentiality period, Y is the migration timeline, and Z is time until Q-Day — suggests that any data requiring confidentiality beyond 10 years is already at risk if migration has not begun.
Bitcoin's governance structure makes a rapid response difficult. Introducing a new quantum-safe output type requires a soft fork, with draft proposals such as BIP-360/P2MR (Pay-to-Merkle-Root) still far from network-wide consensus. The engineering tax is steep: current ECDSA/Schnorr signatures are roughly 64 to 72 bytes, while candidate post-quantum signatures such as ML-DSA (2.4 to 4.6 KB) and SLH-DSA (7 to 49 KB) are dozens of times larger, increasing block weight, transaction fees, and node storage requirements.
Ethereum Charts a Different Path
Ethereum has taken a more proactive approach. The Ethereum Foundation's post-quantum team, operating under the "Lean Ethereum" roadmap published by co-founder Vitalik Buterin on July 4, targets full post-quantum protection by approximately 2029. The plan identifies four vulnerable cryptographic components — ECDSA wallet signatures, BLS consensus signatures, KZG data availability commitments, and certain zero-knowledge proof systems — and stages their replacement across seven protocol forks.
The roadmap leverages account abstraction (ERC-4337 and EIP-7702) to give smart contract wallets "signature agility," enabling hybrid signatures and gradual migration without requiring a full network-wide hard fork. On the consensus layer, the team is developing leanXMSS, a hash-based signature scheme combined with a minimal zkVM (leanVM) for SNARK aggregation, which could compress large hash signatures by approximately 250 times.
The contrast between the two networks highlights a structural tension. Bitcoin's conservative governance preserves its narrative as a store of value resistant to centralized interference, but it also creates the highest barrier to cryptographic migration. Ethereum's more flexible upgrade mechanism allows faster adaptation but introduces engineering complexity across its multi-layer protocol stack.
What Comes Next
The industry's "engineering comfort window" before Q-Day has narrowed to roughly five to eight years, according to multiple estimates cited in the report. Within that window, two milestones will test the ecosystem's readiness: the first regulatory mandate requiring post-quantum cryptography compliance from custodians and exchanges, and the first major protocol to successfully activate a quantum-safe upgrade on mainnet.
For Bitcoin, the ultimate test is not cryptographic but political. Handling the roughly $470 billion in exposed UTXOs — including long-dormant coins from the Satoshi era — will force a governance choice between the immutability principle and the practical need to freeze or migrate vulnerable assets. A "Legacy Sunset" mechanism, such as the draft BIP-361 proposal, would issue multi-year deprecation warnings and gradually increase relay policy friction for old outputs, but no consensus has been reached.
For Ethereum, the challenge is execution. The Lean roadmap's seven forks through 2029 require coordination across multiple independent client teams, thousands of validators, and a growing number of research labs operating outside the Ethereum Foundation, which has lost more than 10 senior staff members in 2026. Whether the distributed development model can deliver at the pace the roadmap demands remains the open question.
This article is for informational purposes only and does not constitute investment advice.