Q-Day and Bitcoin: Citi Warns 25% of BTC Supply Already Quantum-Exposed

4.5 to 6.7 million Bitcoin already have their public keys exposed on-chain, representing 25% of total supply, according to a Citi Institute report published May 16, 2026. The bank estimates a 34% probability that a cryptographically relevant quantum computer (CRQC) will exist by 2034. Q-Day is no longer a theoretical footnote.

TL;DR: Citi's May 2026 report places $350-500 billion worth of Bitcoin at quantum risk, with 4.5-6.7 million BTC already exposing public keys on-chain. BIP-360 and BIP-361 remain unadopted, and the G7 Cyber Expert Group has set a 2030 deadline for high-risk system migration.

The Citi report, titled “Quantum Threat: The Trillion-Dollar Security Race,” warns that progress in quantum computing is accelerating faster than earlier models projected, compressing the timeline before a sufficiently powerful machine could break the cryptography protecting Bitcoin wallets. This isn't science fiction. It's a calculation with a date attached.

Source: Citi Institute “Quantum Threat: The Trillion-Dollar Security Race” · Updated May 16, 2026 · Project Eleven

How Exposure Works: Not All Bitcoin Are Equal

Functionally, the problem originates in how Bitcoin manages addresses. In the network's earliest years, Pay-to-Public-Key (P2PK) addresses left the public key permanently visible on-chain. Anyone who ever sent a transaction from a P2PK address has already revealed their public key to the entire world. A sufficiently powerful quantum computer, running Shor's algorithm, could use that public key to derive the corresponding private key. Funds accessible. Without the wallet owner doing anything wrong.

According to Project Eleven, approximately 6.9 million BTC fall into this category, almost certainly including a portion of the wallets attributed to Satoshi Nakamoto. Modern P2PKH addresses aren't fully safe either: the act of signing a transaction reveals the public key during the confirmation window. A fast enough quantum computer could, in theory, intercept that key in those seconds and broadcast a competing transaction before block confirmation.

Citi describes this scenario as “already relevant in the context of corporate and banking security governance.” For a retail user holding BTC on a hardware wallet, the immediate risk is low. For anyone with funds sitting in P2PK addresses forgotten for years, the risk is structural and ongoing.

Can Quantum Computing Actually Hack Bitcoin?

The honest answer: not today, but possibly within a decade. Citi estimates a 34% probability that a CRQC will exist by 2034. Vitalik Buterin had previously put the odds at 20% by 2030. That estimate, per Citi's researchers, is now considered optimistic. Advances by Google, IBM, and Chinese military research programs have pulled forward the projected timeline considerably.

The most immediate risk isn't a direct wallet attack. It's what Citi calls “harvest now, decrypt later.” State-level actors can already copy and archive encrypted data, transactions, and messages today, waiting for the moment when quantum computing power makes decryption possible. For banks and institutions managing long-term sensitive financial data, the danger is present now. Citi estimates the global banking system's total exposure to this risk at $3 trillion, according to the same May 2026 report.

BIP-360, BIP-361, and Bitcoin's Governance Problem

Citi identifies Bitcoin as more exposed than Ethereum for one specific reason: governance speed. Bitcoin changes slowly, though by design. Every protocol modification requires broad consensus among miners, developers, and nodes. BIP-360 (QuBit) and BIP-361 are the proposals currently under discussion to introduce post-quantum-compatible signatures into Bitcoin. Neither has reached the adoption threshold required to become a soft fork. Ethereum, by comparison, has already shipped deep protocol updates (the Merge, Dencun) with relative speed.

Ripple announced in March 2026 a four-phase plan to make XRPL quantum-proof by 2028, with Project Eleven as technical partner. The U.S. NSA published its Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) in May 2025, recommending post-quantum algorithms for critical systems.

The G7 Cyber Expert Group requires high-risk system migration by 2030 across European member states. Bitcoin, of course, is governed by no state or institution. Its transition depends entirely on its community, which historically moves late but carefully. If BIP-360 doesn't reach consensus within the next 24 to 36 months, the gap between Bitcoin's upgrade pace and that of potential adversaries will widen.

The most concrete date to watch isn't 2034. It's 2030. European banks holding Bitcoin as an asset or collateral will need to demonstrate an active post-quantum migration plan to regulators before that deadline arrives. If BIP-360 stalls, the window narrows fast.

The risk isn't that Q-Day arrives tomorrow. The risk is that Bitcoin won't be ready when it does.