A browser extension promoted as a privacy tool and endorsed by major platforms quietly transformed itself into a vast data-collection mechanism, capturing millions of users’ private conversations with artificial intelligence systems and raising new questions about trust, consent, and oversight in the booming extension economy.
A Trusted Tool, Recast in Silence
For years, Urban VPN Proxy occupied a comfortable niche in the browser extension ecosystem. Marketed as a free tool to “hide your IP” and “protect your online identity,” it amassed a large user base roughly six million on Google Chrome and more than a million on Microsoft Edge along with a prominent “Featured” badge that signaled approval from platform gatekeepers. That trust, researchers now say, proved decisive.
According to findings published by Koi Security, an update pushed to users in July 2025 fundamentally altered the extension’s behavior. Without prominent disclosure or opt-in consent, the software began collecting every prompt typed into popular AI chatbots along with the bots’ responses across services including OpenAI’s ChatGPT, Anthropic’s Claude, Microsoft Copilot, Google Gemini, xAI’s Grok, Meta AI, DeepSeek, and Perplexity.
Chrome and Edge extensions update automatically by default. For users who installed Urban VPN solely for its advertised virtual private network functionality, the change arrived silently, embedded in new code that redefined the extension’s purpose overnight.
How AI Conversations Were Intercepted
Technically, the mechanism was both sophisticated and comprehensive. Investigators found that the extension injected tailored JavaScript files such as chatgpt.js, claude.js, and gemini.js whenever a user visited an AI chatbot. These scripts intercepted browser network requests by overriding standard APIs like fetch() and XMLHttpRequest(), ensuring that every interaction passed through the extension first.
The result was a detailed record of AI use: user prompts, chatbot responses, timestamps, conversation identifiers, session metadata, and even information about which AI model was being used. That data was then transmitted to remote servers controlled by the developer, including endpoints labeled analytics.urban-vpn[.]com and stats.urban-vpn[.]com.
Koi Security identified the same AI-harvesting functionality in three other extensions from the same publisher—1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker—bringing the total install base linked to the practice to more than eight million users across Chrome and Edge.
“AI Protection” and the Data Economy Behind It
On its public listing, Urban VPN highlighted an “AI protection” feature, described as a safeguard that scans prompts for personal data or unsafe links and warns users before they submit them. Researchers argue that this framing obscured a more consequential reality: the monitoring occurred regardless of whether the feature was enabled.
In practice, said Idan Dardikman of Koi Security, the extension warned users about sharing sensitive information with AI systems while simultaneously exfiltrating those same conversations to its own infrastructure. One recipient of that data, according to the company’s disclosures, was an affiliated advertising and brand-intelligence firm called BIScience, which uses raw, non-anonymized browsing data to generate insights “commercially used and shared with business partners.”
BIScience, which also owns Urban Cyber Security Inc., has faced previous scrutiny from researchers over alleged collection of browsing histories under what were described as misleading privacy policy disclosures. Investigators say the company provided software development kits to third-party developers, allowing clickstream data to be transmitted to domains under its control.
Urban VPN’s updated privacy policy, dated June 25, 2025, states that AI prompt data may be collected to enhance safe browsing and for marketing analytics, with secondary uses conducted on de-identified or aggregated information. Researchers counter that technical evidence shows sensitive content being captured in full before any such filtering.
Badges, Blind Spots, and Platform Trust
Perhaps the most unsettling aspect of the episode is how seamlessly the data collection scaled. With the exception of one Edge listing, the extensions carried “Featured” badges—signals that, for many users, imply heightened review and quality standards.
“These badges are the difference between installing an extension and passing it by,” Dardikman noted. “They function as an implicit endorsement.”
The case highlights a broader vulnerability in browser marketplaces, where policies allow access to browsing data under narrowly defined “approved use cases.” By tying data collection to user-facing features like AI safety or ad blocking, developers can claim that broad permissions are necessary to improve a single stated purpose.
