Coinbase's quantum advisory board says roughly 7 million bitcoin sit in addresses exposed to a future quantum attack, and that much of that exposure is not lost Satoshi-era coins but active funds, including cold wallets operated by known exchanges. The estimate appears in a report published Thursday by the company's Independent Advisory Board on Quantum Computing and Blockchain.

The board splits the exposure into two buckets. About 1.7 million bitcoin sit across roughly 20,000 legacy pay-to-public-key (P2PK) addresses, where the public key itself is the address and is fully visible onchain, leaving those coins directly vulnerable to a future attack. Many are assumed to belong to bitcoin's pseudonymous creator or to owners who lost their keys long ago.

The second and larger bucket is the one tied to address reuse. Citing the quantum-security firm Project Eleven, the report puts about 5 million bitcoin at risk because their public keys have already been revealed, and says most of those coins are assumed to belong to active users rather than lost wallets, with large amounts sitting in cold wallets of known exchanges or showing recent activity. The report does not name specific crypto exchanges. 

The report presents the argument that owners who have lost their keys do not need protection because they have already lost practical control of their coins, so the genuine question is what to do about holders who still control their funds but fail to move them before any migration deadline. By the report's own framing, that group could include the exchanges and active holders behind the 5 million reused-key coins.

The report sets out two opposing positions on solutions. The first would set a deadline after which quantum-vulnerable signatures, such as ECDSA and Schnorr, are no longer accepted, permanently freezing any coins not migrated. Proponents argue that broken cryptography voids the proof of ownership those signatures provide, that lost coins flooding the market after a quantum break would unfairly hit other holders, and that freezing would stop a sanctioned actor such as North Korea from seizing a large bitcoin stash.

The second position would enable post-quantum addresses and otherwise leave the risk with each owner. Backers argue that burning coins amounts to confiscation at the network level, breaking with bitcoin's property-rights ethos and setting a precedent that could invite future pressure to seize funds for other reasons, and that there is no reliable way to tell a negligent owner from one who is imprisoned, has died, or has only temporarily lost a key.

Between the two, the report describes intermediate proposals it says are mutually compatible. An "Hourglass" design would cap how many P2PK coins can move per block to prevent a sudden supply shock. The draft BIP-361 proposal would bar legacy signatures after a set time but let users prove ownership with a quantum-resistant zero-knowledge proof, an option available to wallets generated from seed phrases. Provable Address-Control Timestamps, or PACTs, originally proposed by Paradigm researcher Dan Robinson, would let holders commit today to a future quantum-safe transfer without publicly moving funds onchain.

The board declined to back any single approach, saying there is no correct answer and that the community must decide. Its members include Yehuda Lindell, who leads cryptography at Coinbase and is a professor at Bar-Ilan University, alongside Stanford professor Dan Boneh, UT Austin professor Scott Aaronson, Ethereum Foundation researcher Justin Drake, Sreeram Kannan of Eigen Labs and the University of Washington, and UCSB professor Dahlia Malkhi.

The report did make two recommendations, however. It urged developers to start the technical migration work now, arguing that building post-quantum signature support is independent of the abandoned-coins fight and should not wait for it, and it called for clearer communication so users are not left guessing about timelines and plans.

The exchange-exposure point echoes earlier warnings. When Jefferies strategist Christopher Wood pulled bitcoin from his model portfolio in January over quantum risk, the research he cited flagged exchange and institutional wallets as among the most exposed because of address reuse. Bitcoin developers have separately floated the phased sunset of legacy signatures under BIP-361, and Google said in March it was setting a 2029 timeline for its own post-quantum cryptography migration, citing faster progress in quantum-related research.

The board stressed that no quantum computer can break blockchain cryptography today and that the threat remains uncertain. Its argument is that migration and the governance debate will each take years to resolve, so waiting until a cryptographically relevant quantum computer actually exists would be too late.