While it's commonly believed that only about 25% to 30% of Bitcoin is at risk of quantum attacks due to the use of old addresses with exposed public keys, the reality is more severe. According to Project 11s' Bitcoin Risq List, 6.88 million Bitcoin (worth over $450 billion) are currently under potential threat, as these addresses are highly vulnerable to cracking due to long-term public key exposure. Approximately 3 million to 4 million of these are considered permanently lost and cannot be upgraded to a quantum-safe format.
However, this is not the whole story. In fact, theoretically all 21 million Bitcoin could be compromised by a sufficiently powerful quantum computer in the future, as long as they have not been migrated to quantum-safe addresses—assuming the attacker can complete key derivation before the transaction is confirmed. The most vulnerable are currently those early addresses with long-term public key exposure, such as those held by Satoshi Nakamoto, whose public keys have been public for 15 years, and which quantum computers could crack with just a few months of continuous computation.
While the remaining Bitcoin have not yet exposed their public keys, they are briefly exposed in the mempool each time a transaction occurs, typically for a window of 10 to 60 minutes. As quantum computing capabilities improve, "just-in-time attacks" may emerge in the future, rapidly cracking private keys and implementing double-spending attacks during the brief interval while the transaction awaits confirmation.
Charles Edwards of Capriole notes that the current attack strategy is gradually upgrading from targeting "low-hanging fruit" to systemic attacks on the entire blockchain. "Once the technology matures, every Bitcoin could be taken, given enough time."
Although the BIP-360 proposal attempts to enhance protection against long-term public key exposure through P2MR outputs, it explicitly states that the scheme cannot defend against short-term exposure attacks—i.e., scenarios where attackers obtain public keys from the mempool before transaction confirmation and crack them. BIP-360 co-author Ethan Heilman emphasizes that the real urgent challenge is addressing short-term attacks, as attackers must race against miners' confirmation time to complete key recovery and double-spending before the transaction is included on the blockchain.
To achieve comprehensive protection, the Bitcoin network may have to introduce post-quantum signature algorithms, fundamentally restructuring its digital signature mechanism. Otherwise, even Bitcoin that currently appears secure may completely lose its immutable cornerstone in the quantum era.