By ByteBot
Eight million users had their private AI conversations with ChatGPT, Claude, and Gemini silently harvested and sold to advertisers by browser extensions marketed as “privacy” tools. Security researchers at Koi Security discovered this month that Urban VPN Proxy and seven related extensions updated themselves in July 2025 to intercept every prompt and response, exfiltrating the data for five months before the operation was exposed.
How the AI Chat Harvesting Worked
The operation used a sophisticated 4-stage process to capture conversations before they even rendered in your browser. When you visited ChatGPT, Claude, or any of eight targeted AI platforms, the extensions injected dedicated executor scripts—chatgpt.js, claude.js, gemini.js—that overrode fundamental browser functions like fetch() and XMLHttpRequest. Moreover, these scripts intercepted API responses in real-time, parsed out your prompts and the AI’s responses, then compressed and exfiltrated everything to Urban VPN’s servers at analytics.urban-vpn.com.
This wasn’t sloppy coding or an accident. The harvesting was hardcoded and enabled by default with no user-facing toggle to disable it. Furthermore, even if you disconnected the VPN or enabled the so-called “AI protection” feature, the harvesting continued silently in the background. The extensions targeted ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok, and Meta AI.
The Betrayal: “Privacy” Tools Selling Your Secrets
Here’s the part that should infuriate you: these were “privacy” and “security” extensions. Urban VPN Proxy had over 6 million downloads and a “Featured” badge from Google—while actively harvesting millions of users’ most private conversations. However, the Chrome Web Store listing claimed the extension was “not being sold to third parties.” The actual privacy policy told a different story: data shared with BiScience, a known data broker, and unnamed “Business Partners” for “marketing analytics purposes.”
Users who installed the extensions before July 2025 never saw an updated consent prompt. The harvesting code appeared via silent auto-update on July 9, 2025 (version 5.5.0). Consequently, if you trusted these tools to protect your privacy, they weaponized that trust to harvest your most valuable data.
The Scale: 8 Million Users, 5 Months of Data Collection
The scope is staggering. Eight extensions across Chrome and Edge, 8,028,181 total users, eight AI platforms, five months of continuous harvesting. Think about what you’ve asked AI tools since July: medical symptoms, financial planning, legal questions, relationship problems. Or if you’re a developer: proprietary code snippets, business strategies, client information, trade secrets. All of it potentially in advertisers’ hands.
The affected extensions include Urban VPN Proxy (6M Chrome users, 1.3M Edge users), 1ClickVPN Proxy (600K Chrome users), Urban Browser Guard, and Urban Ad Blocker. All share identical harvesting code, suggesting coordinated data collection infrastructure. Additionally, all were operated by Urban Cyber Security Inc., affiliated with BiScience, which has a history of collecting browsing and clickstream data.
This is the Economics of “Free” Browser Extensions
Let’s be clear about what happened here: you installed a free tool, and you became the product. This is the business model. According to the 2025 VPN Transparency Report, seventy percent of free VPN services sell your browsing data. Eighty-eight percent leak data through IP or DNS. Eighty-six percent have what researchers call “unacceptable” privacy policies. Urban VPN didn’t break the mold—they just found a more valuable data stream.
AI conversations are the new gold mine for data brokers. They’re worth more than browsing history because they contain your thoughts, not just your behavior. Your prompts reveal problems you’re trying to solve, secrets you’re keeping, ideas you’re developing. Nevertheless, the oversight is nonexistent—these extensions are still live on Chrome and Edge stores as of publication, Featured badge intact.
What You Should Do About VPN Extension Privacy Risks
If you’ve used any of these extensions, assume your AI conversations since July 2025 are compromised. Uninstall immediately: Urban VPN Proxy, 1ClickVPN Proxy, Urban Browser Guard, Urban Ad Blocker (both Chrome and Edge versions). Check your installed extensions and remove anything you don’t actively use. Review the permissions of what remains—if a VPN extension can access all your data on all websites, it can harvest anything.
For the long term, stop using free VPN extensions. Use paid services from reputable providers, or if you need free, use Proton VPN, which has a privacy-first model and doesn’t monetize user data. Furthermore, minimize your installed browser extensions—every extension is a potential surveillance point. Be extremely cautious what you share with AI tools, especially if you work with sensitive business or client information.
For enterprises: implement AI governance policies, block free VPN and proxy extensions on corporate machines, and audit employee browser extensions. Companies using GenAI tools like Microsoft Copilot already exposed an average of 3 million sensitive records per organization in the first half of 2025. Add unvetted browser extensions to that mix and you’re asking for a data breach.
Key Takeaways
- 8 million users had AI conversations with ChatGPT, Claude, and Gemini harvested and sold by “privacy” extensions
- Urban VPN Proxy and 7 related extensions silently updated in July 2025 to intercept and exfiltrate AI chat data
- Extensions used sophisticated 4-stage harvesting: script injection, API interception, data parsing, exfiltration
- Data sold to BiScience (data broker) and “Business Partners” despite store listings claiming “not sold to third parties”
- Uninstall these extensions immediately and assume AI conversations since July are compromised
- Stop using free VPN extensions—70% sell your data, 88% leak it
