Urban VPN Proxy caught stealing AI conversations from 8 million Chrome and Edge users

Chrome, Edge privacy extensions quietly snarf AI chats

More than 8 million people have installed extensions that eavesdrop on chatbot interactions Ad blockers and VPNs are supposed to protect your privacy, but four popular browser extensions have been doing just the opposite. According to research from Koi Security, these pernicious plug-ins have been harvesting the text of chatbot conversations from more than 8 million people and sending them back to the developers. The four seemingly helpful extensions are Urban VPN Proxy, 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker. They're distributed via the Chrome Web Store and Microsoft Edge Add-ons, but include code designed to capture and transmit browser-based interactions with popular AI tools. "Urban VPN Proxy targets conversations across ten AI platforms," said Idan Dardikman, co-founder and CTO of Koi, in a blog post published Monday. The research firm said that the platforms targeted include ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok, and Meta AI. "For each platform, the extension includes a dedicated 'executor' script designed to intercept and capture conversations," said Dardikman, who explained data harvesting is enabled by default through a hardcoded configuration flag. "There is no user-facing toggle to disable this. The only way to stop the data collection is to uninstall the extension entirely." According to Dardikman, the Urban VPN Proxy extension monitors the user's browser tabs and, when the user visits one of the targeted platforms (e.g., chatgpt.com), it injects the "executor" script into the page. "Once injected, the script overrides fetch() and XMLHttpRequest - the fundamental browser APIs that handle all network requests," he explained. "This is an aggressive technique. The script wraps the original functions so that every network request and response on that page passes through the extension's code first." The script parses the intercepted API responses and then packages and transmits the data via window.postMessage to the extension's content script, along with the identifier PANELOS_MESSAGE. The content script then passes the data to a background service worker for exfiltration over the network to endpoints at analytics.urban-vpn.com and stats.urban-vpn.com. The Register reached out to Urban VPN, affiliated company BiScience, and 1ClickVPN at their respective privacy email addresses. All three requests bounced. Pointing to prior investigative material published by security researcher Wladimir Palant and John Tuckner of Secure Annex that details BiScience's collection of clickstream/browsing history data, Dardikman said his company's findings show BiScience expanding into the collection of AI conversations. He notes that while Urban VPN does disclose AI data collection during the setup prompt and in its privacy policy, the Chrome Web Store listing indicates that data is not being sold to third parties outside approved use cases and that AI conversations are not specifically mentioned. "The consent prompt frames AI monitoring as protective," he said. "The privacy policy reveals the data is sold for marketing." He adds that users who installed Urban VPN prior to July 2025 would have never seen the consent prompt, which was added via a silent update with version 5.5.0. He also argues that the software provides no indication that data collection happens even when the VPN is not active. Dardikman notes that Urban VPN received a Featured Badge from the Chrome Web Store team. "This means a human at Google reviewed Urban VPN Proxy and concluded it met their standards," he said. "Either the review didn't examine the code that harvests conversations from Google's own AI product (Gemini), or it did and didn't consider this a problem." He observes that the Chrome Web Store policies explicitly prohibit transferring or selling user data to third party data brokers like BiScience. Google did not immediately respond to a request for comment. The problem appears to be a loophole in Google's Chrome Web Store Limited Use policy, which allows data to be transferred to third parties for limited scenarios (e.g., security or business ownership change) that do not include transferring data to data brokers. Palant in his post suggests that BiScience and its affiliated partners implement user-facing features that allegedly require access to browsing history, to claim the "necessary to providing or improving your single purpose" exception that allows limited data transfer to third parties. Or they claim the security exception by implementing safe browsing or ad blocking features. "Chrome Web Store appears to interpret their policies as allowing the transfer of user data, if extensions claim Limited Use exceptions through their privacy policy or other user disclosures," Palant wrote. "Unfortunately, bad actors falsely claim these exceptions to sell user data to third parties." "If you have any of these extensions installed, uninstall them now," Dardikman concluded. "Assume any AI conversations you've had since July 2025 have been captured and shared with third parties." ®

This VPN is harvesting your AI conversations - and 6 million people are using it

Every prompt you enter and every response you receive is being collected and shared - so avoid this VPN at all costs New research has discovered Urban VPN's browser extension collects, shares, and sells your highly sensitive personal data. An investigation by Koi discovered the browser extension "Urban VPN Proxy" has been intercepting and capturing conversations from 10 AI platforms. Sensitive data is shared to Urban VPN's servers, and then sold to third-parties. Urban VPN does not feature in our guide to the best VPNs, and we warned against people downloading it back in 2024. Despite the dangers, Urban VPN Proxy has six million users and an average rating of 4.7 stars, from 58,000 reviews, on the Google Play Store. It describes itself as "the best secured Free VPN" but you should avoid it at all costs. If you're after a free VPN, we would strongly recommend the VPNs featured in our best free VPN guide - PrivadoVPN Free, Proton VPN Free, and Windscribe Free. Koi's investigation found that 10 major AI platforms were targeted by Urban VPN Proxy, including: For each AI tool, Urban VPN Proxy operates a dedicated "executor" script, enabling it to capture conversations. Worryingly, there is no way to disable this other than to uninstall the extension. The data collection also takes place whether you are connected to the VPN or not. Your browser tabs are monitored at all times, and the script is injected as soon as you visit any of the AI platforms. Aggressive techniques are used to override any native browser functions. Data is then extracted, tagged, and sent to Urban VPN Proxy's servers. Highly sensitive personal data is collected, including: According to Koi, this malicious script was added in via an update in July 2025, with no such feature present before then. With Google Chrome and Microsoft Edge extensions updating automatically with no notification of new permissions, it's likely many users would have been unaware of this silent infiltration. To give Urban VPN Proxy some credit, it does disclose its data collection practices. Its privacy policy states it "may collect your web browsing data" if you are a user of its "Windows or Android App and Extensions free versions." It says data is processed and shared with its affiliate company "based on consent." For AI inputs and outputs, it says it will collect AI prompts and outputs, and prompts are disclosed "for marketing analytics purposes." B.I Science (2009) Ltd. - which offers marketing and data insights - is listed as Urban VPN Proxy's affiliate company. Urban VPN Proxy's privacy policy states that BiScience uses its raw data to create insights "which are commercially used and shared with Business Partners." Urban VPN Proxy's Google Play listing says it handles location, web history, and website content data. It also declares that data is: This appears to contradict what is stated in the privacy policy, and should be a red flag for anyone looking to download the extension. Koi's research found the malicious script was also present in 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker extensions for both Google Chrome and Microsoft Edge. The old adage "if you're not paying for the product, you are the product" still holds true. We do recommend some free VPNs, but there are countless others out there that do more harm than good. VPNs take money to run, so if you're not funding it with your money directly, there's a high likelihood that you data is being used to generate revenue. Sam Soares, Chief Revenue Officer at CultureAI, echoes this sentiment: "The Urban VPN story is a classic example of what happens when people put blind trust in 'free' tools. If you don't know how a tool makes money, assume it's monetising your data." If you need a VPN, we highly recommend choosing a paid option. If that's not possible, pick from our choice of the best free VPNs - they're fully tested, proven to be safe to use, and don't collect or sell your data. If you have any of the extensions listed above downloaded on your device, delete them immediately. The invasive nature of their design means the only way to effectively protect yourself is to remove the apps entirely. If you are concerned your data may have collected, you can sign up to a data removal service such as Incogni. These services contact data brokers on your behalf and submit deletion requests. They aren't 100% effective but do cover a lot of ground. Incogni comes bundled with the 27-month Surfshark One+ plan, costing $4.19 per month ($113.13 up front pre-tax). This also acts as a stark reminder to be mindful of what information you are feeding AI tools. The data practices of AI companies leaves a lot to be desired at the best of times, but combining this with malicious browser extensions could have devastating consequences for your personal information and privacy. Thoroughly investigate the browser extensions you're downloading and, where possible, read the privacy policy. When it comes to VPNs, there are countless dangerous apps out there. Only subscribe to genuine VPN providers, with verified no-logs policies and a high standard of privacy and security. Tom's Guide has reviewed hundreds of VPNs and we will only recommend a provider if it is genuinely secure and will protect your online privacy.

This Google Chrome extension has been silently stealing every AI prompt its users enter

Several related Urban extensions perform the same large‑scale data collection A popular Google Chrome browser extension has been found to be harvesting anything its users prompted into most of the biggest AI tools around, as well as collecting the chatbot's responses, all apparently in order to earn an extra few dollars for its owners. Urban VPN Proxy has more than six million installations, and a 4.7/5 rating on the Google Chrome Web Store - and on the Microsoft Edge Add-ons marketplace, it has an additional 1.3 million installations. It used to work as your ordinary VPN - by hiding the user's actual IP address and thus working around geoblocks and other various restrictions. However, as Koi security researchers discovered, on July 9 2025, the extension was updated with version 5.5.0, which introduced the AI harvesting by default. Anything users typed into ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, Grok, Meta AI, and Perplexity, would be picked up, as well as anything these tools returned. Furthermore, the extension also extracted conversation identifiers, timestamps, session metadata, and which AI platform and model was used. The company behind the extension, called Urban Cyber Security, isn't hiding its practices, noting in its privacy policy document how it's harvesting "anonymized" data and sharing it with BIScience - another company it owns. This company is an affiliated ad intelligence and brand monitoring organization. In other words, it analyzes large-scale, anonymized online behavior, helping businesses understand advertising performance, consumer journeys, and competitive activity. While Urban says it removes personally identifiable data and does its best not to share sensitive information, the company stresses this cannot be guaranteed. "However, the purpose of this processing is not to collect personal or identifiable data, we cannot fully guarantee the removal of all sensitive or personal information, we implement measures to filter out or eliminate any identifiers or personal data you may submit through the prompts and to de-identify and aggregate the data," the privacy policy reads. Koi researchers said the same company has multiple extensions, all of which are harvesting the same data - 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker.

This Chrome extension has 7 million subscribers, and it could be spying on you

A privacy-focused Chrome extension installed by more than seven million people worldwide has gone rogue and is stealing your AI chatbot conversations from under your nose. The extension, Urban VPN Proxy, actually has a Chrome Featured badge, which should mean it follows Google's best practices on privacy and security, but it was revealed to be pilfering prompt information on a huge number of AI chatbots, including ChatGPT, Claude, and Perplexity, and is being sold to the highest bidders to target you with ads. But while the data collection and privacy breach is shocking, it's a timely reminder to be careful of what you share with an AI platform, as you don't truly know where that data is going -- or who is going to be reading it. This VPN app is silently stealing your AI searches I'd remove this extension now and switch to something trusted The team over at Koi first highlighted this issue after a chance search by one of its research team, Idan Dardikman. His research found that Urban VPN Proxy, a Google Chrome "Featured" extension, targets conversations across numerous AI chatbots, grabbing information on your prompts and inputs. Furthermore, Koi's research found that the data collection takes place even when you're not using the VPN extension, and data is collected near continuously when you use the AI apps. Affected AI Chabots ChatGPT Claude Gemini Copilot Perplexity DeepSeek Grok Meta AI Koi's blog explains the process in more detail, but here's a quick overview of how it works: Script injection. The extension monitors your tabs (normal behavior), but when you visit one of the AI chatbots listed above, it injects code into the page. Overide: The script injection allows the extension to basically see every request sent while you're using the AI chatbot before it even hits your browser. Extraction: Once active, the script focuses on "conversation data," which includes "prompts, responses, timestamps, [and] conversation IDs." Transmission: The data is packaged and sent to Urban VPN's servers, where it can be analyzed. Furthermore, it's not confined to just the Urban VPN Proxy extension, either. Koi's research team found the same AI harvesting code present in other extensions developed by the same publisher, Urban Cyber Security Inc. Extension Chrome Web Store Users Microsoft Edge Add-ons Users Total Users Urban VPN Proxy 6,000,000 1,323,622 7,323,622 1ClickVPN Proxy 600,000 36,459 636,459 Urban Browser Guard 40,000 12,624 52,624 Urban Ad Blocker 10,000 6,476 16,476 Total 6,650,000 1,379,181 8,029,181 So, if you're using these Chrome browser extensions in an attempt to protect your privacy, think again. How did a "Featured" extension get away with data collection? It's all in the update timeline You're probably wondering how a Chrome Extension with the Featured badge gets away with having a data-collecting script injection element. Surely Google wouldn't sign off on such a thing? It's hard to tell entirely, but it certainly looks like Urban VPN Proxy had its Featured badge before it rolled out the data-collection scripts. A glance at the Wayback Machine at a cache Urban VPN Proxy page from May 2025 shows the Featured tag, yet the script wasn't added to the extension until July 2025. The Chrome Web Store's Limited Use policy explicitly prohibits "transferring or selling user data to third parties like advertising platforms, data brokers, or other information resellers." BiScience is, by its own description, a data broker. Anyone who downloaded the app before July 2025 won't have seen the updated policies, making it easier to slip by. While Google claims it checks every Featured app before approval, and it likely does, post-Featured approval updates clearly don't get the same level of scrutiny. Or, someone at Google decided that a privacy-focused extension collecting AI conversation data is okay. Either way, it's not a great look, and highlights why it's difficult to trust Chrome's Web Store. Koi's research points out that Urban VPN's privacy policy explains its data collection practices, but it's not the easiest to find. It also appears that there are differences between Urban VPN Proxy's consent prompt and its privacy policy. The water is further muddied by Urban VPN's claim to offer "advanced AI protection," which Koi's research suggests is somewhat two-faced. Furthermore, this isn't the first time Koi has uncovered an extension gone rogue. Back in August 2025, Koi revealed FreeVPN had secretly started collecting screenshots of your browsing sessions, highlighting the issues with Google's Featured extensions. I'd steer clear of browser VPNs full stop Better options are available The browser extension VPN market has always felt a little iffy to me. For starters, they only protect the data in your browser rather than your whole device, which can create a false sense of security. Then there are the problems with some browser VPN extensions actually just being a proxy, which doesn't provide the same level of protection (like, in the slightest). There are definitely some safe-to-use browser VPN extensions. For example, Opera browser's integrated VPN is certified no-log. Vivaldi's integrated VPN is similarly secure, while NordVPN's browser extension is perfectly safe. If you're going to download a VPN, stick to the trusted names. We'd strongly advise using a no-log VPN provider such as Proton VPN, Mullvad, or NordVPN. I stopped using browser VPNs after this -- and you should too Be careful what you type This isn't the fault of the AI chatbots, but you should consider what secrets you're telling Now, this whole Urban VPN Proxy privacy debacle also highlights an issue I've been warning people about since AI hit the big time in November 2022: you don't know what's happening to your data. I'm keen to highlight that in this case, it's not AI chatbots causing the problem. It's the VPN that's quietly changed its code and privacy policy. But there are still topics you shouldn't talk about with AI, not least because you have no idea about how the AI company will use your information. Sure, it might be "anonymized," but it's collecting and storing everything you input, including your financials, relationship status, health problems, and so on. A dodgy VPN company isn't always going to be snooping on your AI chats, but you should still be extremely careful with what you post.