Security researchers have found that Urban VPN Proxy, a widely used free browser VPN extension with millions of installs, has been collecting and exporting full AI chat conversations from users’ browsers.
For organizations where employees routinely paste internal context, code snippets, customer details, or investigative notes into AI tools, the behavior represents a direct data-exfiltration channel operating entirely outside traditional enterprise security controls.
The issue is not limited to VPN traffic or encrypted sessions.
According to Koi Security’s findings, urban VPN injects scripts that activate whenever users interact with popular AI platforms, capturing both prompts and responses, even when VPN features are disabled.
Hidden scripts in “privacy” armor
Apart from offering a VPN service, Urban VPN Proxy deployed “executor” scripts that activate when a user opens AI chat platforms like ChatGPT, Claude, Gemini, Perplexity, Grok, and others. “Each platform has its own dedicated script-chatgpt.js, claude.js, gemini.js, and so on,” Koi researchers said in a blog post.
These scripts override key browser network APIs to intercept everything a user types and receives, package it, and send it off to Urban VPN’s backend systems. The underlying code continuously monitors AI conversation content and related metadata, and uploads it regardless of VPN use.
The Chrome extension carries high ratings and a “Featured” badge by Google, giving users an implicit trust signal, the researchers noted. “The badge from Google means it had passed manual review and met what Google describes as a high standard of user experience and design,” they said.
Google did not immediately respond to CSO’s request for comments.
Both Chrome and Edge variants of the extension remain live on the Chrome Web Store and the Edge Add-ons store, respectively.
Urban’s storefront marketing even highlights an “AI protection” feature that claims to check user prompts for sensitive data. But Koi found that this protective framing runs independently of the surveillance layer, exfiltrating all AI interaction data whether users want it collected or not.
Crooks stole chats from 8 million accounts
Koi researchers revealed that Urban VPN is operated by Urban Cyber Security Inc., which is affiliated with BiScience (B.I Science Ltd), a data broker company.
“This company has been on researchers’ radar before,” the researchers added. “Security researchers Wladimir Palant and John Tuckner at Secure Annex have previously documented BiScience’s data collection practices.” Their research found that BiScience collects re-identifiable clickstream data at scale and monetizes it via its SDK and products like AdClarity and Clickstream OS.
Hundreds of millions of AI conversations have been captured, pooled across multiple extensions from the same publisher, reaching a combined user base well over eight million.
Koi noted that the AI conversation capability on Urban VPN was introduced through extension updates over time, evolving from earlier browsing telemetry into broader monitoring of generative AI interactions as these tools gained mainstream adoption. The findings echo broader warnings that browser-based AI tools and extensions are becoming an unmanaged risk layer for enterprises, and should be treated as part of the attack surface rather than mere convenience features.