When you hear talk of quantum risk to Bitcoin, the conversation usually stays abstract—“someday quantum computers will break signatures.” That warning is real, but it doesn’t tell you what to do today. A 2025 Human Rights Foundation report estimates that 6.5 million BTC—roughly one-third of the total supply—already sit in addresses with exposed public keys, making them easy targets for a future quantum attacker. Project 11’s Bitcoin Risq List bridges the gap by scanning the chain and calling out exactly which balances are vulnerable right now.
Why some bitcoin is more exposed than others
Quantum risk is not spread evenly across the network. Recent chain scans by Chaincode Labs and the Human Rights Foundation place the vulnerable pool at roughly one-third of all bitcoin (between 6.3 million and 6.5 million BTC) whose public keys are already visible on-chain.
Not all bitcoin carries the same quantum risk—legacy scripts, key reuse, and dormant UTXOs are the most exposed.
- Legacy or reveal-early scripts. Pay-to-pubkey (P2PK) and early pay-to-pubkey-hash (P2PKH) outputs publish the full public key as soon as you spend them, giving a future quantum attacker an early advantage.
- Key reuse. Chaincode’s audit attributes 69 percent of the vulnerable balance—about 4.5 million BTC—to wallets that recycle the same public key across transactions. Each reuse provides fresh material for cryptanalysis.
- Dormant, unrotated coins. Years-old UTXOs with exposed keys keep accruing risk because their owners never migrated them into modern SegWit or Taproot addresses.
By zeroing in on these already visible keys, Project 11’s RISQ List shows you where a quantum thief would strike first, giving you a practical window to move funds before Q-day arrives.
What the RISQ list actually tracks
Think of the RISQ dashboard as a running health chart for bitcoin’s most exposed coins. It surfaces four headline numbers you can check at a glance:
A dashboard-style view of the RISQ list turns Bitcoin quantum exposure into clear, trackable metrics.
- How many keys are already on display. The latest Human Rights Foundation scan counts 6.51 million BTC sitting in outputs whose public keys are visible right now, roughly one-third of the supply.
- How much value those keys represent. At today’s $92,000 price, that total equals more than $599 billion, comparable to the market cap of Meta.
- Which script paths leak the most. Early P2PK outputs account for 1.72 million BTC, while reused P2PKH addresses expose another 4.49 million BTC.
- Whether the problem is shrinking or growing. Deloitte sounded the alarm in 2019, warning that 4 million BTC were vulnerable; today’s 6.5 million figure shows the risk is expanding, not contracting.
By putting concrete totals, year-over-year deltas, and script-level detail in front of you, the RISQ list converts an abstract quantum threat into numbers you can track, so you know when to move coins or press your custodian for an upgrade.
How bitcoin holders can use this information
You can act without waiting for a standards body. The RISQ list offers a three-step checklist you can run this afternoon:
A simple three-step routine—scan addresses, migrate to Taproot or SegWit, and stop reuse—turns quantum risk into weekend wallet housekeeping.
- Scan your addresses. Paste each receive address into an open-source quantum-risk checker such as QSBitcoin’s web tool or @0xB10C’s “whatpubkey” script. If the report flags an exposed key with balance, note the amount.
- Move anything flagged into fresh Taproot or SegWit outputs. Fewer than 1 in 10 bitcoin outputs by value, about 8.6 percent, use Taproot today, so shifting even a small stash closes a large gap.
- Retire reuse. The Human Rights Foundation estimates that 4.49 million BTC, more than $400 billion, are vulnerable solely because of address reuse. Generate a new address for every incoming payment, and encourage anyone paying you to do the same.
Follow those three steps and you turn “quantum risk” from a distant headline into a weekend housekeeping task: scan, migrate, repeat.
Why it matters for institutions and custodians
If you safeguard thousands or even billions of dollars in bitcoin, the quantum timeline is not an academic debate; it belongs on your risk-committee agenda. Today, custodians such as Coinbase Prime hold about $245 billion in client assets, and 81 percent of the crypto now parked inside U.S. ETFs sits with that single provider. The RISQ list lets teams like yours answer three board-level questions in minutes:
- How big is our direct exposure? Upload a wallet xpub, and the dashboard returns the exact BTC balance, down to the product level, that sits in outputs with revealed keys.
- Which business lines need upgrades first? A 2025 HRF study shows that key reuse accounts for 4.49 million BTC in live risk, giving exchanges a clear target: migrate high-traffic deposit wallets before cold storage.
- Are we closing the gap quarter over quarter? Because the tool snapshots balances monthly, you can drop a trend chart straight into compliance reports instead of telling stakeholders, “we’re monitoring quantum risk.”
Answering those three questions turns quantum readiness from a vague talking point into a measurable, auditable KPI that auditors, regulators, and clients can understand.
A tool for developers and researchers
If you write bitcoin software or review BIPs, the RISQ dataset is more than a curiosity; it is raw fuel for experiments. The 6.5 million BTC exposure map ships as a 5.2 MB CSV with 1.8 million rows, each labeled by script type, key-reuse count, and last-spend height. With that data you can:
- Stress-test new address designs. Hunter Beast’s BIP-360 “Pay-to-Quantum-Resistant-Hash” proposal includes test vectors pulled straight from the RISQ dump, letting you benchmark signature-size trade-offs against real UTXOs.
- Flag anti-patterns in wallet code. A quick grep shows that nearly 42 percent of exposed coins still sit in pay-to-pubkey outputs, a relic many SDKs quietly support.
- Quantify impact for grant pitches. Pitching a Taproot backport for hardware wallets? Point to the exact slice of coins, about 1.7 million BTC, that the patch would protect.
By turning risk into rows and columns, the RISQ list helps the developer community chase the highest-leverage fixes first, leaving no guesswork.