Researchers say a “Featured” browser VPN extension captured AI prompts and responses across ChatGPT and Gemini, raising new questions about extension reviews and data collection.
A security report is warning that a popular browser VPN extension “stole” ChatGPT and Gemini chats—by intercepting and exfiltrating prompts and responses—impacting more than 6 million Chrome users tied to Urban VPN Proxy. Researchers at Koi Security say the AI chat harvesting was enabled by default in an update and could continue regardless of whether the VPN was turned on.
What happened
Koi Security says Urban VPN Proxy, a Chrome extension with over 6 million users, included code that intercepts conversations with major AI platforms, including ChatGPT and Google Gemini. The Hacker News reported the extension had a “Featured” badge on the Chrome Web Store and a large install base on Microsoft Edge as well.
According to Koi, the harvesting capability was introduced in Urban VPN Proxy version 5.5.0, released on July 9, 2025, and rolled out via standard browser extension auto-updates. Infosecurity Magazine summarized Koi’s findings as capturing AI chat traffic and sending it to company-controlled servers even when the VPN feature was not enabled.
Timeline (reported)
| Date / Period | Reported development | Why it matters |
| Before v5.5.0 | Koi says earlier versions did not include AI conversation harvesting. | Suggests the AI chat capture behavior was added later via update. |
| July 9, 2025 | Koi and The Hacker News cite release of v5.5.0 with AI harvesting enabled by default. | Users could be opted in silently through auto-updates. |
| July 2025–Dec 2025 | Koi says conversations with targeted AI platforms were captured and exfiltrated during this period. | Expands risk window for exposed prompts, responses, and metadata. |
How the extension accessed chats
Koi says Urban VPN Proxy injected “executor” scripts into AI chat sites, including dedicated files such as chatgpt.js and gemini.js. The report says those scripts then overrode browser networking functions like fetch() and XMLHttpRequest to intercept requests and responses before they were rendered.
The Hacker News and Koi both say the captured data was then exfiltrated to endpoints including analytics.urban-vpn.com and stats.urban-vpn.com. Koi further states there was no user-facing toggle to disable this harvesting, and the only reliable way to stop collection was uninstalling the extension.
Reported data collected
Koi and The Hacker News say the extension captured user prompts, chatbot responses, conversation identifiers, timestamps, session metadata, and AI platform/model information. Infosecurity Magazine similarly described collection of prompts, responses, timestamps, and session identifiers as part of the alleged harvesting.
Koi warns that because prompts often include highly sensitive content—such as medical questions, financial discussions, or workplace information—users should assume any AI chats made after the July 9, 2025 update may have been captured if the extension was installed.
Scale and other extensions
Koi says the same AI harvesting capability appeared not only in Urban VPN Proxy, but also in other related extensions across Chrome and Microsoft Edge, bringing the total affected user base to over 8 million across marketplaces. The Hacker News reported the same family of extensions and said several carried “Featured” badges, increasing perceived trust.
Reported affected extensions and users
| Extension (store) | Reported users | Notes from Koi’s report |
| Urban VPN Proxy (Chrome) | 6,000,000 | AI harvesting described as enabled by default after v5.5.0. |
| 1ClickVPN Proxy (Chrome) | 600,000 | Reported to share identical harvesting backend. |
| Urban Browser Guard (Chrome) | 40,000 | Reported to include same harvesting logic. |
| Urban Ad Blocker (Chrome) | 10,000 | Reported to include same harvesting logic. |
| Urban VPN Proxy (Edge) | 1,323,622 | Reported installs on Microsoft Edge Add-ons. |
| 1ClickVPN Proxy (Edge) | 36,459 | Reported installs on Microsoft Edge Add-ons. |
| Urban Browser Guard (Edge) | 12,624 | Reported installs on Microsoft Edge Add-ons. |
| Urban Ad Blocker (Edge) | 6,476 | Reported installs on Microsoft Edge Add-ons. |
Why this raised alarms (badges, disclosure, and data brokers)
One reason the report drew attention is that Urban VPN Proxy carried a “Featured badge,” which Google says is assigned to extensions that “meet a high standard of user experience and design,” and are manually evaluated by Chrome team members. Koi argues this kind of store badge can function like an implicit endorsement, making users more likely to install an extension without deeper scrutiny.
Koi also links the ecosystem to data monetization, stating Urban VPN is affiliated with BiScience (B.I Science), described in the report as a data broker with prior documentation by independent researchers. The Hacker News similarly reported that Urban VPN’s policy referenced sharing browsing data with an affiliated firm named BIScience and discussed prior public research alleging clickstream collection practices.
What users and organizations can do next
Koi’s guidance is straightforward: if any of the listed extensions are installed, uninstalling is the only sure way to stop the reported AI chat harvesting. Koi also advises users to assume any ChatGPT, Gemini, or other supported AI chats made since July 9, 2025 could have been captured if Urban VPN Proxy was installed.
For organizations, the incident highlights why browser extensions should be treated like high-privilege software, because Koi’s technical description shows how extensions can inject scripts and intercept web traffic inside sensitive sites. Where possible, security teams can reduce exposure by limiting extension installation to approved allowlists and reviewing extensions that request broad access to “site data” or web activity.
What comes next
As of the published reports, The Hacker News said it contacted Google and Microsoft for comment, and Infosecurity Magazine reported Urban VPN was contacted as well, with no response at the time of writing.
