Urban VPN Proxy Chrome Extension Harvests AI Chatbot Conversations
The Urban VPN Proxy Chrome extension, boasting over 6 million installs and a "Featured" badge on the Chrome Web Store, was discovered secretly collecting and exfiltrating user conversations with major AI chatbots, including ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok, and Meta AI. Researchers found that a silent update in July 2025 (version 5.5.0) introduced hidden code that intercepts every prompt and response exchanged with these AI platforms, along with conversation identifiers, timestamps, and session metadata. The extension, which markets itself as a privacy and security tool, continued to harvest data regardless of whether the VPN service was active, betraying user trust and bypassing normal browser security boundaries.
Captured data was sent to Urban VPN’s servers and subsequently sold to marketing analytics firms, notably BiScience, a known data broker. The malicious behavior was enabled by script injection that overrode browser APIs such as fetch() and XMLHttpRequest(), ensuring all relevant traffic was intercepted. The extension’s widespread distribution and high user ratings, combined with its presence on both Chrome and Edge marketplaces, amplified the impact of this breach. The incident highlights the risks posed by browser extensions with privileged access and the potential for abuse even among highly rated and officially endorsed add-ons.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Chrome Web Store removes the identified extensions
By 2025-12-18, Malwarebytes reported that the Chrome Web Store had removed the identified extensions following disclosure of the AI chat harvesting behavior. Some of the same extensions were still available in the Microsoft Edge Add-ons store at that time.
Researchers warn featured browser-store badges gave false trust signals
Reports noted that the affected Chrome and Edge extensions carried marketplace trust indicators such as 'Featured' badges despite the surveillance behavior. Researchers said these badges and privacy-focused marketing claims could have misled users into believing the extensions were vetted and safe.
Koi Security discloses AI chat interception by Urban VPN extensions
In mid-December 2025, Koi Security publicly reported that Urban VPN Proxy and related browser extensions were capturing full conversations from services such as ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, Grok, and Meta AI. The researchers said the data was exfiltrated to infrastructure tied to Urban Cyber Security Inc. and affiliated data broker BiScience for commercial use.
Related extensions from the same publisher also collect AI conversations
Koi Security found the same AI-chat harvesting functionality in additional browser extensions from the same publisher, including 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker, with some reports saying as many as eight extensions were affected. The combined install base was estimated at more than 8 million users.
Urban VPN update 5.5.0 begins harvesting AI chat data
On 2025-07-09, Urban VPN Proxy version 5.5.0 introduced code that intercepts prompts, responses, and related metadata from major AI chat services and sends the data to remote servers by default. The behavior reportedly operated regardless of whether the VPN feature was enabled and without a user-facing opt-out beyond uninstalling the extension.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Chrome extension slurps up AI chats after users installed it for privacy
malwarebytes.com
Open sourceBrowser extensions with 8 million users collect extended AI conversations
arstechnica.com
Open sourceBrowser 'privacy' extensions have eye on your AI, log all your chats
go.theregister.com
Open sourcePopular Chrome Extension with Over 6 Million Installs Captures User Inputs to AI Chatbots
cybersecuritynews.com
Open sourceBrowser Extension Harvests 8M Users' AI Chatbot Data
darkreading.com
Open source‘Featured’ Urban VPN caught stealing private AI chats
csoonline.com
Open sourceFeatured Chrome Browser Extension Caught Intercepting Millions of Users' AI Chats
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Urban VPN Proxy Harvests AI Chatbot Conversations and Sells Data
Urban VPN Proxy, a popular browser extension marketed as a free clientless VPN for Chrome, has been found to secretly collect and sell user conversations from major AI chatbot platforms to third-party data brokers. Security researchers at Koi Security revealed that since July, the extension has harvested every prompt and response from platforms including ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok, and Meta AI, impacting approximately 8 million users. The data collection occurs regardless of whether the VPN feature is enabled, and users have no option to disable this surveillance except by uninstalling the extension. Additional extensions from the same publisher, such as 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker, also engage in similar data harvesting activities, despite carrying "Featured" badges in browser app stores, which typically indicate a level of trust and manual review. The exposure of this privacy violation highlights significant risks associated with browser extensions, especially those that interact with sensitive AI platforms. The incident underscores the need for stricter vetting of browser extensions and greater transparency regarding data collection practices. Users and organizations relying on browser-based AI tools should review installed extensions for potential privacy risks and consider removing those with questionable data handling practices, even if they appear reputable or highly rated in official app stores.
Mar 21, 2026
Malicious Chrome Extensions Stole Conversations From ChatGPT, Claude, Gemini, and DeepSeek
Researchers reported that several AI-themed browser extensions in official marketplaces covertly harvested user conversations from generative AI services including **ChatGPT, Claude, Copilot, Gemini, and DeepSeek**. G Data identified **Urban VPN**, **Smart Sidebar: ChatGPT, Claude and DeepSeek**, and **AI Assistant/Chat AI** as examples that remained outwardly functional while injecting scripts, intercepting requests, tampering with page content, or using hidden iframes to capture prompts and responses from visited AI sites. Investigators said the stolen data included conversation IDs, hostnames, timestamps, and full chat histories, with some payloads encoded in Base64 and sent to external servers. The extensions reportedly had strong ratings, large user bases, and in one case a Chrome Web Store **Featured** badge, underscoring how official store vetting can miss dynamic malicious behavior such as remote iframe communications; researchers warned that AI-focused extensions now expose a broad attack surface and urged enterprises to enforce strict extension allow-listing, minimize permissions, and remove unnecessary add-ons from systems accessing sensitive AI platforms.
Jun 15, 2026
Malicious Chrome Extensions Steal ChatGPT and DeepSeek Conversations
Two rogue Chrome extensions, impersonating the legitimate AITOPIA AI sidebar tool, have compromised over 900,000 users by exfiltrating ChatGPT and DeepSeek conversations along with full browsing histories to attacker-controlled servers. The extensions, named "Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI" and "AI Sidebar with Deepseek, ChatGPT, Claude and more," request consent for "anonymous analytics" but covertly steal sensitive data, including proprietary code, business strategies, PII, and internal URLs. The malware operates by monitoring browser tabs, scraping chat content and session IDs, and sending Base64-encoded data to C2 servers every 30 minutes, exposing users to risks such as espionage, identity theft, and phishing. Researchers from OX Security discovered the threat, noting that the extensions remain available on the Chrome Web Store, with one losing its "Featured" badge after disclosure. The extensions also redirect users to each other if uninstalled, and their privacy policies are hosted on third-party sites to obscure their origins. The incident highlights the growing trend of browser extensions being used to capture AI chatbot conversations, a tactic dubbed "Prompt Poaching," and underscores the need for vigilance when installing browser add-ons, especially those requesting broad permissions under the guise of analytics or enhanced user experience.
Mar 21, 2026