A popular Chrome extension, Urban VPN Proxy, boasting over 6 million installations, has been found to be secretly harvesting user conversations with major AI chatbots. The extension, despite holding Google’s “Featured” badge for quality, contains hidden code designed to intercept and exfiltrate sensitive dialogue from platforms like ChatGPT, Claude, Gemini, and others. This discovery highlights the significant privacy risks posed by seemingly innocuous browser add-ons.
Researchers at Koi uncovered that the malicious code was introduced via a silent update in July 2025, specifically in version 5.5.0. Users who installed the extension prior to this update were unaware of the heightened data collection capabilities. The compromised extension monitors every prompt sent to AI services and captures complete responses, conversation identifiers, timestamps, and session metadata.
Urban VPN Proxy Compromised: Millions of AI Chatbot Conversations Harvested
The implications of this breach are far-reaching, as Urban VPN Proxy presented itself as a privacy and security tool, earning a 4.7-star rating from thousands of reviews on Google’s official marketplace. Users who installed the extension for its purported VPN functionality unknowingly granted it broad access to monitor their most personal digital interactions. Crucially, the data collection operates independently of the VPN service itself, meaning conversations are harvested whether the VPN is connected or disabled.
The findings reveal a sophisticated exploitation of browser extension privileges, allowing the malicious code to bypass standard security measures. The intercepted information is systematically sent to Urban VPN’s servers at analytics.urban-vpn.com and stats.urban-vpn.com. From there, it is reportedly sold for marketing analytics purposes through established connections with the data broker company BiScience, indicating a commercial motive behind the data harvesting.
Furthermore, the threat extends beyond just the Urban VPN Proxy extension. Investigations confirmed that seven other extensions from the same publisher harbor identical data-harvesting code. Collectively, these extensions, operating under different product names such as 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker, impact over 8 million users across both Google Chrome and Microsoft Edge browsers. All these extensions funnel their illicitly collected data through the same surveillance infrastructure, raising concerns about the publisher’s overall data handling practices.
The Technical Mechanism Behind Data Harvesting
The method employed by the extension to harvest user data is technically intricate, involving a four-step process that underscores how deeply malicious code can integrate with browser functionalities. When a user accesses any of the targeted AI platforms, the extension injects specialized executor scripts directly into the web pages. For instance, it uses chatgpt.js for ChatGPT, claude.js for Claude, and gemini.js for Gemini.
These injected scripts then proceed to override fundamental browser APIs responsible for managing network traffic. In practice, they wrap the fetch() and XMLHttpRequest functions, effectively intercepting every network request and response before the data is even processed or displayed to the user by the browser. This technique is highly effective in capturing raw API data, which contains the entirety of user conversations.
The extension then parses this captured information to meticulously extract prompts, the AI’s responses, unique conversation identifiers, and other relevant metadata. The harvested data is subsequently packaged and transmitted via window.postMessage to the extension’s content script, identified by the specific identifier PANELOS_MESSAGE. Finally, a background service worker within the extension compresses this aggregated data before transmitting it to Urban VPN’s external servers, completing the exfiltration process.
A particularly deceptive aspect of the extension is its advertised “AI protection” feature. This feature is purported to monitor conversations and warn users about accidentally sharing sensitive information. However, researchers found that this protective function operates entirely independently of the harvesting mechanism. Toggling the AI protection feature on or off has no discernible impact on whether user conversations are captured and subsequently sold to third-party entities.
The discovery of this widespread data harvesting operation by Urban VPN Proxy and its sister extensions raises significant questions about the security of browser extensions and the oversight provided by official marketplaces like Google’s Chrome Web Store. Users are advised to review their installed extensions and consider removing any that seem unnecessary or have not been recently vetted for security. The ultimate resolution may involve action from regulatory bodies and further scrutiny of extensions from this particular publisher.