A new study by Glassnode is putting fresh focus on a security risk for the wider Bitcoin (BTC) ecosystem—one that relates not to today’s cryptography, but to what could happen if quantum computers become powerful enough to run the right algorithms. According to the research, 6.04 million Bitcoin, or 30.2% of the issued supply, is exposed under an “at-rest” model that looks for whether public-key material is already visible on-chain. The remaining 13.99 million BTC, representing 69.8% of the supply, is described as showing no public-key exposure at restStructural Vs. Operational ExposureGlassnode breaks the concern into two distinct categories: structural exposure and operational exposure. Structural exposure covers outputs where the script type itself reveals the public key by design. Operational exposure is different. It refers to coins that may have been protected originally, but where address reuse, partial spending, or custody behavior has already made the public key visible—while the BTC remains tied to the same address, key, or script structure. In the study’s breakdown, structural exposure accounts for 1.92 million BTC, equal to 9.6% of issued supply. Operational exposure is larger, totaling 4.12 million BTC, or 20.6%. Within this operational bucket, exchange-related balances alone come to 1.63 million BTC, or 8.1% of all issued Bitcoin. The quantum risk behind the analysis is rooted in a scenario involving a sufficiently capable “Cryptographically Relevant Quantum Computer” (CRQC) running Shor’s algorithm. In principle, if an attacker knows a public key, Shor’s algorithm could be used to recover the corresponding private key. Glassnode’s at-rest framework matters here because the attacker would not need the owner to move the coins. If the public key is already visible on-chain, the coin is considered exposed; if the public key is not visible on-chain, the coin is not exposed under this specific model.The Bigger WarningUnder Glassnode’s structural exposure definition, the output type itself reveals the relevant public-key information, independent of how carefully the owner manages addresses. The report points to early P2PK outputs—associated with Satoshi-era coins—and legacy bare multisig structures such as P2MS. It also includes modern Taproot (P2TR) outputs. While these script types come from different eras and were built for different purposes, they share the same property in Glassnode’s framework: the public key, or a public-key equivalent, is visible by default on-chain. That means these coins are targetable while they remain unspent.Operational exposure is where the situation becomes more complex, and where the report places most of its emphasis. In these cases, the outputs are not necessarily vulnerable by design. Instead, they become exposed because the public key has already been revealed at some point during spending, yet Bitcoin remains associated with the same key or script arrangement. Glassnode describes this as an “address reuse problem.” 4 Million Bitcoin Operationally UnsafeGlassnode classifies 4.12 million Bitcoin, or 20.6% of issued supply, as operationally unsafe, and within that bucket, it highlights exchanges as a major labeled subset.For exchange-related balances, the study estimates 1.66 million BTC, or 8.3% of total supply, falls into the operationally unsafe category. Glassnode notes that this represents approximately 40% of all operationally unsafe BTC. Among the largest exchanges, Glassnode reports that Coinbase labeled balances appear largely concentrated in non-exposed structures, with only 5% exposed balance. By contrast, Binance and Bitfinex show dramatically higher susceptible balances—85% and 100%, respectively.For the countries covered in the report—the United States, the United Kingdom, and El Salvador—Glassnode indicates 0% quantum exposure to their Bitcoin holdings.Featured image created with OpenArt, chart from TradingView.com