In May 2025, Coinbase disclosed that a group of overseas customer support contractors had been bribed to steal customer data. The method was not a zero-day exploit, not a phishing campaign, not a misconfigured cloud bucket. It was simpler: contractors accessed customer records on their screens and photographed them with their phones.
Coinbase's estimated exposure: between $180 million and $400 million.
The incident is worth studying carefully — not because Coinbase made obvious mistakes, but because they did not. Their digital security stack was, by enterprise standards, mature. The breach happened anyway, through a channel that enterprise DLP does not cover: the screen.
What Actually Happened
Coinbase operates, like most large fintechs, with a hybrid support model. Core engineering and operations are in-house; customer-facing support is partly outsourced to third-party BPOs — in this case, TaskUs, operating from India.
Support agents in that environment have a legitimate business reason to access customer data. They need to verify identities, resolve disputes, investigate transactions. That access is controlled, logged, and audited at the network and application layer. File downloads are blocked. Email exfiltration is blocked. USB transfers are blocked.
What is not blocked — what cannot be blocked by any of those controls — is a phone camera pointed at a screen.
A contractor opens a customer record. The screen shows name, address, phone number, account balance, transaction history. The contractor takes a photo. The data has now left the building. No DLP alert fires. No SIEM event is generated. No log entry exists. From the perspective of every monitoring system in the stack, nothing happened.
Why Traditional DLP Misses This Entirely
Data Loss Prevention tools — endpoint DLP, network DLP, CASB, email scanning — share a common architectural assumption: data exfiltration is a digital event. A file is copied, an email is sent, a USB is inserted, an API call is made. The tool watches for those events.
Screen photography is not a digital event. It is a physical one. The data never moves across a network. It never touches a USB port. It is never attached to an email. It is converted from pixels on a screen to photons in a room, captured by a camera sensor in a phone, and stored locally on a device that the organization does not manage and cannot inspect.
Every enterprise DLP vendor in the market today, including the largest and most mature, has this blind spot. It is not a configuration gap. It is a category gap.
This is what we call the analog DLP gap: the moment data reaches the screen, it exits the digital perimeter, and all existing controls lose visibility. It's exactly the threat vector that solutions designed to prevent screen photography exist to close.
The Google Indictment Confirms the Method Is Deliberate
The Coinbase breach might be dismissed as an opportunistic act by unsophisticated insiders. A February 2026 DOJ indictment makes that interpretation difficult to sustain.
Three Silicon Valley engineers were charged with stealing trade secrets from Google and at least one other major technology company. The indictment explicitly states that the defendants photographed hundreds of computer screens to exfiltrate the data. The reason is documented: their corporate devices were enrolled in Google's MDM platform, which blocked file transfers to personal accounts. They adapted. They used their phone cameras instead.
These were not unsophisticated actors. They identified a specific gap in a mature security stack — the exact same gap exploited in the Coinbase case — and used it deliberately. The method is reproducible by any insider who understands how DLP works.
- Coinbase / TaskUs (2025): Contractors photographed customer data. $180M–$400M exposure. Zero DLP alerts.
- Google / DOJ (Feb 2026): Engineers "photographed hundreds of screens" to bypass MDM. Criminal charges filed.
- Google / Harshit Roy (Nov 2024): Engineer photographed Pixel chip specs, posted on X. No digital trace inside Google's environment.
- LG Display: Investigators found hundreds of photographs of internal engineering designs on an employee's personal phone. Company DLP triggered zero alerts.
- Samsung: Staff photographed sensitive information as part of trade-secret theft to Chinese firms. Undetected by digital DLP.
The Forensic Problem
Beyond prevention, both cases illustrate a second problem: detection and attribution after the fact.
In the Coinbase case, the breach was discovered through customer complaints and external reporting — not through internal monitoring. When investigators began to reconstruct what happened, there was no system log of which agent had viewed which customer record at which time with enough resolution to build a forensic timeline. The investigation relied on transaction logs, testimony, and external evidence.
In the Harshit Roy case, Google required external investigators to establish what had happened. The phone camera left no digital trace inside Google's environment.
This is the detection gap that follows the prevention gap. Organizations cannot identify the scope of exposure because there is no record of what was visible on which screen, when, and to whom.
What This Means for Companies with Outsourced Operations
The Coinbase breach is not a story about one company's failure. It is a structural illustration of a risk that exists in any organization where:
- Employees or contractors access sensitive data on screens
- Some portion of that workforce operates in environments the organization does not physically control
- Data has value to external actors willing to pay for it
That description applies to most large fintechs, crypto exchanges, insurance carriers, healthcare administrators, and regulated operators running outsourced or offshore support functions.
The question is not whether the analog gap exists in those environments. It does, by construction. The question is whether it is being treated as a control gap that requires a technical response — or as an acceptable residual risk.
After Coinbase, the argument for the latter position is significantly harder to make.
What Screen DLP Addresses
Screen DLP is a category of endpoint security that operates at the layer traditional DLP cannot reach: the screen itself.
A Screen DLP solution uses a standard webcam — the one already attached to the workstation — to monitor the physical environment around the screen in real time. When a phone is raised toward the screen, or an unauthorized person enters the line of sight, or a screen is left unattended with sensitive data visible, the system responds: it can alert, blur, lock, or log, depending on policy.
Critically, it also generates a continuous record of presence at each screen — who was there, when, and for how long. That record exists independently of application logs, network logs, and DLP events. In a post-incident investigation, it closes the attribution gap.
The Coinbase scenario is the clearest illustration of what this covers. A support agent opens a customer record. A phone enters the camera's field of view. The system detects the phone, logs the event, and triggers the configured response — before the photo is taken, or at minimum with a timestamped record that it occurred.
Sources
- Reuters: Coinbase breach linked to customer data leak in India
- Bloomberg Law: TaskUs employees responsible for Coinbase data breach, suit says
- DOJ: Silicon Valley engineers charged with stealing trade secrets from leading tech companies
- The Hacker News: Three former Google engineers indicted
- Reuters: Google sues ex-engineer over leaked Pixel chip secrets
- Ponemon / 3M: Global Visual Hacking Experiment
Close the Screen DLP Gap
See ScreenStop in action on your own workstation. Free download — no hardware required.