A set of free VPN extensions that have over 8 million downloads on Chrome Web Store and Microsoft Edge Add-ons have been capturing and monetizing AI chat conversations with users since July 2025.
The findings, released today by security researcher Idan Dardikman of Koi Security, outline a large-scale data collection operation embedded within widely installed browser extensions. These extensions, some marked as “Featured” by Google and Microsoft, were found to intercept and exfiltrate user conversations with popular AI platforms like ChatGPT, Claude, Gemini, Copilot, and Grok, beginning with version 5.5.0 released in July 2025.
Specifically, Koi Security discovered embedded JavaScript executor scripts in the extension’s codebase, chatgpt.js, claude.js, gemini.js, and others, that inject themselves into browser sessions across ten major AI platforms. These scripts override core web APIs like fetch() and XMLHttpRequest, allowing them to monitor, intercept, and extract both user inputs and AI responses in real-time.
Koi Security
The extensions containing the chat logging code are:
Chrome Web Store:
- Urban VPN Proxy – 6,000,000 users
- 1ClickVPN Proxy – 600,000 users
- Urban Browser Guard – 40,000 users
- Urban Ad Blocker – 10,000 users
Microsoft Edge Add-ons:
- Urban VPN Proxy – 1,323,622 users
- 1ClickVPN Proxy – 36,459 users
- Urban Browser Guard – 12,624 users
- Urban Ad Blocker – 6,476 users
The collected data includes user prompts and AI responses, conversation metadata like IDs and timestamps, platform and model identifiers, and session data. This data is then passed to the extension's background worker and exfiltrated to Urban VPN servers at analytics.urban-vpn.com and stats.urban-vpn.com.
Transparent disclosure and privacy concerns
Urban VPN is operated by Urban Cyber Security Inc., an American entity affiliated with BiScience (B.I. Science Ltd.), a data analytics and marketing firm known for monetizing browsing data. Urban’s browser extensions are advertised as free privacy tools, offering VPN, ad blocking, and browser security features. Several of these extensions, such as Urban Browser Guard and Urban Ad Blocker, also carry the “Featured” label on both Chrome and Edge stores, suggesting they underwent manual review.
According to Koi Security’s analysis, all extensions in the Urban suite share the same backend for data exfiltration, with no opt-out options provided in the user interface. Even disabling AI protection features or disconnecting the VPN does not stop the harvesting.
Urban Cyber Security’s privacy policy does, in fact, disclose the collection and sharing of AI prompts and responses for marketing analytics. It states that “AI Inputs and Outputs” are considered part of the user’s web browsing data and may be shared with its affiliate BiScience. The company emphasizes that it applies data filtering and de-identification methods to remove personal or sensitive identifiers and that it does not attempt to ascertain user identity.
However, Koi Security highlights some critical nuances:
- The Chrome Web Store listings for these extensions claim user data is “not sold to third parties,” and do not explicitly mention AI conversation harvesting.
- Users who installed the extensions prior to July 2025 had no opportunity to consent to the new data practices, as the harvesting capability was introduced silently via auto-update.
- Even current users are not given a way to opt out of AI data collection independently from other extension features.
While the privacy policy outlines data practices in legal detail, the front-facing disclosures and UX do not clearly communicate the extent or purpose of AI data collection, leaving many users likely unaware that their conversations are being logged and monetized.
CyberInsider has contacted Urban VPN for a comment on Koi Security’s findings, but we have not received a response yet.
The extensions remain available on Chrome’s and Edge’s official marketplaces. Users should understand the privacy risks and potential for chatbot conversation exposure, and take the appropriate measures.
Leave a Reply