BTCQ is a heuristic classifier built on public Esplora API data. It
reports practical exposure signals based on what is directly
observable on-chain — not a formal proof of cryptographic safety or
a prediction about quantum hardware timelines.
Script type detection from vout data
Spend-path analysis from vin witnesses and scripts
Five risk tiers for addresses and specific outputs
Risk tiers
Tier 1 P2PK — high risk.P2PK outputs embed the full public key directly in the locking script
(<pubkey> OP_CHECKSIG). The key is visible on-chain from the
moment the coins are received — no spend is required to expose it. This is the
format Satoshi used for all early coinbase outputs. Funds in P2PK
addresses are the most immediately vulnerable if a capable quantum computer
becomes available.
Tier 2 Spent address — exposed.
Applies to P2PKH, P2WPKH, P2WSH, and
P2SH addresses that have at least one confirmed spend. Spending from
these address types reveals the public key or redeem script in the transaction
input — making that material permanently visible on-chain.
Tier 3 Taproot.P2TR outputs commit an x-only public key in the output itself, making
the key observable before any spend. The spend-path risk profile differs from
older scripts, but the output key exposure is analogous to P2PK in
that it does not require a spend to become visible.
Tier 4 Safer — no spend detected.
Common P2PKH (1...) or P2WPKH (bc1q...)
addresses with no detected spend history. The public key is hidden behind a hash
and has not yet appeared on-chain. This is the practical target for address hygiene —
receive-only, single-use, never spent.
Some legacy P2PKH addresses still need manual caution even without a spend
if the same key hash is historically linked to an older P2PK output whose
public key is already public elsewhere on-chain. BTCQ treats known cases like that as
exposed, not as Tier 4 receive-only addresses.
Tier 5 Manual review.
Unspent P2SH addresses and addresses with no on-chain history.
P2SH hides a redeem script until spend time, so the quantum
exposure depends entirely on what sits behind that script. This checker treats
it as a manual-review case until a spend reveals the script.
Complex script handling
Spent P2SH is not treated as generically unknown
once the API returns spend-path data. If the redeem script or witness script is
visible in the response, BTCQ classifies it further — into multisig, wrapped
SegWit, or general script-path exposure — and assigns Tier 2 accordingly.
Wrapped SegWit is flagged when the redeem script assembly
begins with OP_0, indicating a P2SH-P2WPKH or
P2SH-P2WSH construction. Once spent, the redeem path is public.
Multisig is flagged when the revealed script assembly includes
CHECKMULTISIG in either the redeem script or witness script fields.
P2WSH spends are treated as script-path exposure
because witness-script details — including any embedded public keys — are
typically revealed in full at spend time.
Public key material in inputs is flagged when scriptsig_asm
includes OP_PUSHBYTES_33 or OP_PUSHBYTES_65, or when
witness stack items are 33 or 65 bytes — the compressed and uncompressed public
key lengths.
Reuse signal
BTCQ flags address reuse when spent_txo_count exceeds zero. An
address that has only received — but never sent — is not flagged, because the
public key is only revealed on the spend path. This is a practical on-chain
signal, not a wallet-descriptor or UTXO graph analysis.
Privacy boundary
BTCQ has no backend and does not proxy or log requests. The lookup goes from
your browser directly to the selected public API provider. That provider, your
network path, and your browser can still observe which address was queried.
Stronger privacy requires a self-hosted Esplora endpoint or a separate
network-privacy layer such as Tor.
Known limits
BTCQ fetches the first page of confirmed history (up to 25 transactions plus
one additional page for addresses with deep history). Addresses with very large
transaction counts may be assessed on a partial view — this is noted in the
results when it occurs. The tool does not parse every possible custom script
or establish cryptographic certainty. It is an educational triage tool built
from explorer-visible data.