A widely used browser extension marketed as a free VPN has reportedly been collecting and transmitting users’ conversations with major AI chat platforms.
According to new research from security firm Koi, the activity could affect millions of users and involve content many consider private, including medical questions, financial discussions and workplace issues.
The research identified Urban VPN Proxy, a Chrome extension with more than 6 million users and a Google “Featured” badge, as a central example.
Although marketed as a privacy-focused tool, the extension was allegedly found to include functionality that intercepts AI chat traffic and sends it to company-controlled servers, regardless of whether the VPN is enabled.
Koi researchers analysed browser extensions capable of accessing AI platforms and discovered that Urban VPN Proxy contained scripts specifically designed to capture conversations across several services.
These scripts are allegedly enabled by default and cannot be turned off through user settings. The only way to stop the collection would be to uninstall the extension entirely.
The extension injects code into supported AI websites and overrides standard browser network functions. This allows it to capture prompts, responses, timestamps and session identifiers before the content is displayed to the user. The collected data is then compressed and transmitted to analytics servers operated by Urban VPN.
The researchers claimed that the same data-collection capability exists in seven additional extensions from the same publisher, spanning VPNs, ad blockers and browser security tools. In total, more than 8 million users across Chrome and Edge may be affected.
Read more on AI data privacy: How ISO 42001 Strengthens AI Cybersecurity and Data Privacy
According to Koi’s analysis, the AI conversation harvesting was introduced in version 5.5.0 of Urban VPN Proxy, released on July 9 2025. Earlier versions did not include this functionality. Because extensions typically update automatically, many users were unaware of the change.
Urban VPN’s promotional materials do describe an “AI protection” feature intended to warn users about sharing sensitive data. However, the researchers said this feature operates independently from the conversation harvesting, which continues even when protections are disabled.
Urban VPN is operated by Urban Cyber Security Inc., affiliated with data broker BiScience. Koi’s report notes that BiScience has previously been linked to large-scale browsing data collection.
“Anyone who used ChatGPT, Claude, Gemini, or the other targeted platforms while Urban VPN was installed after July 9, 2025 should assume those conversations are now on Urban VPN’s servers and have been shared with third parties,” Koi wrote.
“Medical questions, financial details, proprietary code, personal dilemmas – all of it, sold for ‘marketing analytics purposes.’”
Urban VPN was contacted for comment on the findings but has not responded at the time of writing.
