Citi is not saying Bitcoin has more exposed supply than Ethereum. Its sharper warning is that Bitcoin may be harder to migrate because old coins, exposed keys and slow governance make quantum readiness unusually difficult.
The uncomfortable point inside Citi's quantum warning is not that Bitcoin is the most exposed major blockchain by percentage. It is that Bitcoin has a smaller but more stubborn problem. Roughly a quarter of Bitcoin supply is tied to public keys that have already been revealed on-chain, and some of that supply may sit in old, abandoned or long-dormant wallets that cannot simply be moved when the industry decides it is time to upgrade.
That distinction matters. Citi's January report says public key exposure applies to about 25% of Bitcoin, while other blockchains have much larger exposed shares. Ethereum, for example, is cited at more than 65% of current supply. Solana is described as effectively fully exposed. On the surface, that makes Bitcoin look less vulnerable. In practice, Citi argues Bitcoin faces a different kind of headache, because post-quantum migration cannot be passive and Bitcoin changes slowly by design.
The timing is not random. Citi's January report argues that quantum computers are likely to become powerful enough within the next decade to break widely used public-key encryption, and it frames the issue as a broader digital-security problem, not a crypto-only one. A separate Google Research paper published on March 31 sharpened the debate by estimating that attacking elliptic-curve cryptography used by Bitcoin, Ethereum and other major chains could require far fewer quantum resources than older estimates suggested. That is why the subject has moved from theoretical backdrop to active risk planning.
The core issue is simple enough. Bitcoin ownership relies on digital signatures, and those signatures depend on elliptic-curve cryptography. A sufficiently powerful quantum computer running Shor's algorithm could derive a private key from an exposed public key. That does not mean every Bitcoin wallet is at immediate risk today. It means coins connected to already visible public keys become a long-term target once cryptographically relevant quantum machines exist.
Google's research helped put numbers around the anxiety. The paper and related market coverage have pointed to roughly 6.9 million BTC sitting in addresses or outputs where public keys have already been exposed, including older pay-to-public-key outputs, reused addresses and some other exposed formats. Citi's report gives a broader estimated range of about 4.5 million to 6.7 million BTC in quantum-exposed outputs. Either way, the pool is large enough to matter for investors, custodians and exchanges.
Ethereum is not immune. In fact, Citi's numbers suggest Ethereum has a higher share of exposed supply. The difference is that Ethereum may have more practical paths for coordinated protocol change. Its hard-fork history, account abstraction work and signature flexibility could make a post-quantum transition easier to stage over time. That does not make the upgrade simple. It does mean the network has more precedent for changing core machinery when the community accepts the need.
Bitcoin's strength is also the source of its complication. Its conservative upgrade culture is one reason institutions trust it, because the network is not supposed to change quickly. But that same caution can slow responses to technical threats that require broad coordination. A post-quantum signature migration would involve wallets, custodians, exchanges, hardware devices, miners and users. It would also raise a hard question about abandoned coins whose owners may never move them.
Why the stakes keep rising
The market backdrop makes the warning harder to ignore. Institutional ownership of Bitcoin has grown through spot ETFs, corporate treasuries and professional custody platforms, which means the risk is no longer confined to technically curious retail holders. If the assumptions around digital signatures begin to change, asset managers and custodians will need credible migration plans long before the threat becomes practical.
There is also a harvest now, decrypt later problem around the wider digital economy. Citi's report says organizations with long privacy timelines should start implementing post-quantum cryptography now, because encrypted data collected today could be attacked later when quantum hardware catches up. For blockchains, the ownership risk is more forward-looking than retroactive, since old transactions are not undone simply because a future computer becomes stronger. But exposed public keys still create a pool of targets that can be studied today and attacked later.
For Bitcoin developers, the latest wave of research keeps the same question on the table: should the network begin laying protocol-level groundwork for quantum resistance now, or wait until the threat looks closer? Citi's answer is clear enough. The challenge is not the absence of possible post-quantum tools, but the difficulty of rolling them out across systems that were never built for fast cryptographic replacement.
What makes this story current is that quantum security has become an institutional planning issue. Citi's January report, its recent blockchain-focused follow-up and Google's March research all point in the same direction: the industry has time, but not unlimited time. For Bitcoin, the next phase is not panic. It is preparation, and the market will increasingly reward networks and custodians that can show how they intend to make the transition before a deadline forces the issue.
Also read: Cursor makes Composer 2.5 a cheaper rival for coding agents • Torvalds warns AI bug reports are flooding Linux maintainers • llama.cpp adds Multi-Token Prediction and doubles Qwen3.6 27B throughput for local inference