Bitcoin’s quantum attack surface is smaller than headlines suggest — CoinShares pegs real exposure near 10,200 BTC

The quantum panic around Bitcoin keeps resurfacing, but the risk profile is narrower than people imply. A new analysis estimates roughly 10,200 BTC are meaningfully exposed today, and that breaking Bitcoin’s core cryptography would require quantum computers about 100,000 times more powerful than what exists — a leap that could take a decade of scientific progress.

Here’s the piece that matters: exposure hinges less on “quantum is coming” and more on where public keys are visible on-chain. Bitcoin’s security rests on two layers — hashing to protect identities until spend, and elliptic curve signatures to authorize movement. Quantum machines running Shor’s algorithm theoretically threaten the signature layer by recovering private keys from public keys. But only UTXOs tied to already-revealed public keys sit in the immediate blast radius. That is why the current at-risk pool is counted in tens of thousands of BTC, not millions.

The 10,200 BTC figure captures what’s practically exploitable if a capable quantum adversary showed up tomorrow: coins in legacy formats that expose public keys or outputs where keys have already been revealed through prior spending. Everything else is safer by design until the moment of spend. That nuance gets lost when estimates lump the entire supply into a single risk bucket.

On capability, the delta is still daunting. To meaningfully endanger Bitcoin’s ECDSA/Schnorr signatures, you’d need fault-tolerant quantum hardware with error-corrected logical qubits, stable gates, and deep circuits — not lab demos. The assessment that machines must be ~100,000x more powerful than today’s aligns with what many practitioners see: scaling is constrained by noise, error correction overhead, and engineering, not just qubit counts. A decade is a reasonable — and still uncertain — glide path.

Why push back on overblown narratives? Because incentives skew the discourse. Vendors benefit from amplifying timelines; critics like the doom angle; traders chase volatility. Meanwhile, disciplined portfolio managers need a probability-weighted roadmap, not sci‑fi. Treat quantum risk as a migration and governance question, not an immediate P&L threat.

Practical implications for builders and holders: - Address hygiene still matters. Avoiding address reuse reduces the set of UTXOs with exposed public keys before spend. - Confirmations are your friend. In any future with stronger quantum capability, the spend-to-confirmation window would be the narrow time when an attacker could act. Fee policy, mempool behavior, and wallet defaults may need to adapt if timelines compress. - Research, don’t rush. The industry should be funding post-quantum signature R&D and upgrade paths now — lattice-based schemes, hybrid signatures, and opt-in migrations — while resisting premature hardening that bloats the protocol with unproven cryptography. - Communication discipline. Markets react to framing. Calibrated messaging avoids panic while still motivating the work required for a clean upgrade when it’s actually warranted.

A final point that often gets missed: Bitcoin’s defense is not just cryptography; it’s also social coordination. If quantum capability visibly crosses a threshold, the network can prioritize a transition plan. That takes time and political capital, which is why doing the design work early is prudent — even if the hardware is likely a decade out.

The takeaway isn’t complacency; it’s precision. The real near-term exposure is around 10,200 BTC. The machines needed to broadly compromise signatures are orders of magnitude — about 100,000x — beyond today, with a plausible ten‑year runway. Use that breathing room to prepare methodically rather than trade on fear.