BTCQ / Methodology

How addresses are scored

BTCQ is a heuristic classifier built on public Esplora API data. It reports practical exposure signals based on what is directly observable on-chain — not a formal proof of cryptographic safety or a prediction about quantum hardware timelines.

  • Script type detection from vout data
  • Spend-path analysis from vin witnesses and scripts
  • Five risk tiers for addresses and specific outputs

Risk tiers

  • Tier 1 P2PK — high risk. P2PK outputs embed the full public key directly in the locking script (<pubkey> OP_CHECKSIG). The key is visible on-chain from the moment the coins are received — no spend is required to expose it. This is the format Satoshi used for all early coinbase outputs. Funds in P2PK addresses are the most immediately vulnerable if a capable quantum computer becomes available.
  • Tier 2 Spent address — exposed. Applies to P2PKH, P2WPKH, P2WSH, and P2SH addresses that have at least one confirmed spend. Spending from these address types reveals the public key or redeem script in the transaction input — making that material permanently visible on-chain.
  • Tier 3 Taproot. P2TR outputs commit an x-only public key in the output itself, making the key observable before any spend. The spend-path risk profile differs from older scripts, but the output key exposure is analogous to P2PK in that it does not require a spend to become visible.
  • Tier 4 Safer — no spend detected. Common P2PKH (1...) or P2WPKH (bc1q...) addresses with no detected spend history. The public key is hidden behind a hash and has not yet appeared on-chain. This is the practical target for address hygiene — receive-only, single-use, never spent.
  • Some legacy P2PKH addresses still need manual caution even without a spend if the same key hash is historically linked to an older P2PK output whose public key is already public elsewhere on-chain. BTCQ treats known cases like that as exposed, not as Tier 4 receive-only addresses.
  • Tier 5 Manual review. Unspent P2SH addresses and addresses with no on-chain history. P2SH hides a redeem script until spend time, so the quantum exposure depends entirely on what sits behind that script. This checker treats it as a manual-review case until a spend reveals the script.

Complex script handling

  • Spent P2SH is not treated as generically unknown once the API returns spend-path data. If the redeem script or witness script is visible in the response, BTCQ classifies it further — into multisig, wrapped SegWit, or general script-path exposure — and assigns Tier 2 accordingly.
  • Wrapped SegWit is flagged when the redeem script assembly begins with OP_0, indicating a P2SH-P2WPKH or P2SH-P2WSH construction. Once spent, the redeem path is public.
  • Multisig is flagged when the revealed script assembly includes CHECKMULTISIG in either the redeem script or witness script fields.
  • P2WSH spends are treated as script-path exposure because witness-script details — including any embedded public keys — are typically revealed in full at spend time.
  • Public key material in inputs is flagged when scriptsig_asm includes OP_PUSHBYTES_33 or OP_PUSHBYTES_65, or when witness stack items are 33 or 65 bytes — the compressed and uncompressed public key lengths.

Reuse signal

BTCQ flags address reuse when spent_txo_count exceeds zero. An address that has only received — but never sent — is not flagged, because the public key is only revealed on the spend path. This is a practical on-chain signal, not a wallet-descriptor or UTXO graph analysis.

Privacy boundary

BTCQ has no backend and does not proxy or log requests. The lookup goes from your browser directly to the selected public API provider. That provider, your network path, and your browser can still observe which address was queried. Stronger privacy requires a self-hosted Esplora endpoint or a separate network-privacy layer such as Tor.

Known limits

BTCQ fetches the first page of confirmed history (up to 25 transactions plus one additional page for addresses with deep history). Addresses with very large transaction counts may be assessed on a partial view — this is noted in the results when it occurs. The tool does not parse every possible custom script or establish cryptographic certainty. It is an educational triage tool built from explorer-visible data.