If you have ever typed a confidential business strategy, a snippet of proprietary code, or a deeply personal question into ChatGPT while using Urban VPN Proxy, you might want to sit down. According to a bombshell report published this week by Koi Security, the massively popular VPN extension promising privacy, installed on over 6 million devices, has been caught intercepting and exfiltrating the full text of user interactions with AI tools. While users thought they were masking their IP addresses, Urban VPN Proxy was effectively sitting in the passenger seat of their AI sessions, targeting prompts sent to ChatGPT, Claude, Gemini, Perplexity, DeepSeek, Meta AI, Grok, and Microsoft Copilot.
The irony is thick enough to cut with a knife: a tool marketed to protect your identity has been unmasked as one of the year’s most aggressive surveillance devices.
The Mechanism: A Silent Override
According to the technical analysis released this week, the extension employed a sophisticated method to bypass standard detection. Starting with version 5.5.0, pushed silently to users via auto-update on July 9, 2025, Urban VPN Proxy began injecting an executor script into the page. The researchers found distinct payloads tailored for each service (like chatgpt.js, claude.js, and gemini.js, etc), designed to scrape your specific interactions on that platform.
Once installed, this executor script overrides the native “fetch()” and “XMLHttpRequest” browser functions. In plain English, this means the extension is hooked into the very pipes that send data back and forth between your browser and the AI provider.
When you hit Enter on a ChatGPT prompt, the browser usually packages that text and sends it securely to OpenAI. Urban VPN’s script intercepts that package. It captures the conversation data, including the prompt, timestamp, conversation IDs, and the AI’s response, and fires it off to a separate remote server (including analytics[.]urban-vpn[.]com and stats[.]urban-vpn[.]com), all while the legitimate request continued to OpenAI as if nothing had happened. The harvesting mechanism reportedly ran 24/7, even when the VPN functionality was toggled “off.” As long as the extension was enabled in Chrome, the tap was open.
From Featured to Compromised
Koi Security Researchers observed the same AI-harvesting functionality in seven other extensions from the same publisher, available in both the Chrome Web Store and Microsoft Edge Add-ons. The list of compromised tools reads like a catalog of essential utilities:
- Urban VPN Proxy (Chrome & Edge)
- 1ClickVPN Proxy
- Urban Browser Guard
- Urban Ad Blocker
In total, the surveillance net covers over 8 million users. Crucially, this failure wasn’t limited to Google. With the exception of the Edge version of the ad blocker, every one of these extensions had a Featured badge on its respective storefront.
This follows a disturbing trend we have tracked throughout 2025. In August, the FreeVPN.One extension was caught taking screenshots of user activity, including Google Sheets and photos, under the guise of an AI threat detection feature. Earlier this year, in January, a massive campaign compromised over 30 extensions, including legitimate AI productivity tools, turning them into data siphons.
But the Urban VPN case is arguably worse because of the sensitivity of the data. We aren’t just talking about browsing history anymore. We are talking about context. AI prompts often contain the kind of unfiltered, personal, stream-of-consciousness thinking that users would never put into a Google search bar. “Privacy tools that silently intercept AI conversations completely undermine user trust,” wrote the researchers at Koi Security. They noted that the data was likely being packaged for data brokers, a detailed transcript of what 6 million people are thinking, coding, and asking in real-time.
One of the primary third parties receiving this Web Browsing Data is an affiliated ad intelligence and brand-monitoring firm, BIScience. But the relationship goes deeper than a simple data-sharing agreement: BIScience actually owns Urban Cyber Security Inc., the corporate entity behind the VPN. This isn’t the first time the parent company has been caught with its hand in the cookie jar. In January of this year, security researcher Wladimir Palant called out BIScience for collecting users browsing history, known as clickstream data, under misleading privacy policy disclosures.
For now, the takeaway is stark but necessary:
- Audit your extensions immediately. If you have Urban VPN Proxy (or any free VPN extension you haven’t vetted personally) installed, remove it. Disabling it is not enough.
- Treat the browser as compromised. If you are working on high-value IP or sensitive personal matters, consider using a dedicated desktop app for AI tools rather than a web browser cluttered with extensions.
- The “Free VPN” era is over. If you aren’t paying for privacy with money, you are paying for it with your data. And in 2025, that data includes your inner monologue.
It’s a harsh lesson to learn at the end of the year, but better to learn it now than after your proprietary code shows up in a data broker’s dossier.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
