Koi finds Urban VPN exfiltrating AI chats from 8M+ users

The discovery of Urban VPN exfiltrating AI chats from over eight million users has sounded alarms for privacy advocates and consumers. This incident reveals how popular browser extensions, often marketed for security, can be repurposed to secretly harvest vast amounts of sensitive user data on an industrial scale.

Security researchers have traced the data exfiltration to Urban VPN Proxy and seven related browser extensions. According to the detailed Koi Security report, a covert update (version 5.5.0) on July 9, 2025, injected malicious scripts. These scripts intercepted all user interactions with major AI chatbots - including ChatGPT, Gemini, and Claude - and transmitted the conversations to an analytics server, even when the VPN was inactive.

How the hidden harvest worked

Urban VPN injected malicious scripts into browser tabs running AI chatbots. This code automatically located, copied, and packaged entire conversations - including user prompts and AI responses. The captured data was then sent to an external analytics server, a process that occurred without the user's knowledge or consent.

The malicious code, concealed in files like chatgpt.js, activated when a user visited a chatbot website. It parsed the page's content, extracted the text, and sent it to analytics.urban-vpn.com. Despite a "Featured" badge on the Chrome Web Store, the extension's privacy policy falsely claimed it did not sell data, a violation of store policies as confirmed by an independent analysis from The Register.

The primary extension, Urban VPN Proxy, had nearly six million installations on Google Chrome. When combined with its sister extensions on Chrome and Microsoft Edge, the total install base exceeded eight million. Koi Security warns that any user with these extensions installed before the July update likely had their subsequent AI conversations compromised.

Legal clouds are forming

The incident has attracted significant regulatory scrutiny. The data collection may violate GDPR by processing sensitive data without explicit consent, risking fines up to 4% of global turnover. In California, the CPRA enables penalties for selling personal information without providing an opt-out. Furthermore, the FTC could file deceptive-practice charges, as the extension promised privacy while conducting surveillance, a precedent that has led to multi-million-dollar settlements in similar cases.

What users and companies can do

To mitigate risk, users and organizations should immediately audit their browser environments.

• For Individuals: Navigate to chrome://extensions/ or edge://extensions/ and remove Urban VPN Proxy, 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker.
• For Enterprises: Companies must enforce stricter browser governance. This includes implementing policies to whitelist approved extensions by ID, using egress filtering to block traffic to malicious domains like analytics.urban-vpn.com, and deploying endpoint detection and response (EDR) tools to flag suspicious outbound data.

Safer ways to chat with AI

Adopt these best practices to protect sensitive AI interactions:

1. Use a dedicated browser profile for AI tools with all non-essential extensions disabled.
2. Isolate sessions using container tabs or virtual machines when working with confidential information.
3. Regularly inspect extension permissions, particularly those requesting broad access like *://*/*.
4. Monitor network logs for unusual outbound traffic patterns that could indicate data scraping.

A Malwarebytes investigation confirms that official browser store review processes failed to detect this malicious update. Until platform-level security audits become more robust, users must operate with caution. The most effective security posture is to assume any browser extension can access your data and design workflows accordingly.

---

How did Koi discover that Urban VPN was stealing AI chats?

Koi Security discovered the malicious behavior during a routine audit of privacy-focused browser extensions. By analyzing Urban VPN Proxy version 5.5.0, they found hard-coded scripts (chatgpt.js, claude.js) designed to hook the browser's fetch() and XMLHttpRequest() APIs. This allowed the extension to capture entire AI conversations, Base64-encode them, and send them to analytics.urban-vpn.com, even with the VPN disabled. The same malicious code was found in seven sister extensions, bringing the total install base to approximately 8.2 million users.

Which AI services were caught in the net?

The scripts were specifically designed to target eight of the most widely used AI chatbot platforms:

Service	Script filename	Data points taken
ChatGPT	chatgpt.js	prompt, answer, thread ID, model version
Claude	claude.js	prompt, answer, thread ID, model version
Gemini	gemini.js	prompt, answer, thread ID, model version
Microsoft Copilot	copilot.js	prompt, answer, thread ID, model version
Perplexity	perplexity.js	prompt, answer, thread ID, model version
DeepSeek	deepseek.js	prompt, answer, thread ID, model version
Grok	grok.js	prompt, answer, thread ID, model version
Meta AI	metaai.js	prompt, answer, thread ID, model version

Because the list is comprised of literal filenames from the extension's code, Koi could confirm 100% coverage of interactions on these sites.

What legal / regulatory risks do the publishers face?

The publishers of Urban VPN face significant legal and financial risks from multiple regulatory bodies:

• GDPR (EU): Processing sensitive data without explicit consent could lead to fines of up to 4% of global annual turnover.
• CCPA/CPRA (California): Selling personal information without a clear "Do Not Sell" option exposes the company to penalties and class-action lawsuits.
• FTC Act (US): Marketing the extension as a privacy tool while secretly harvesting data qualifies as a deceptive practice. The FTC has previously settled similar cases for millions of dollars.

Did Google or Microsoft remove the extensions?

Both Google and Microsoft have removed the extensions from their respective stores, but their responses were not immediate. Google delisted Urban VPN and its affiliates on December 16, 2025, a day after Koi's public disclosure. Microsoft followed suit 48 hours later, removing the packages from the Edge Add-ons store on December 18. As of January 2026, neither company has issued a public incident report or user notification.

How can I protect myself and my organization?

For Individuals (5-Minute Check):

1. Open your browser's extension manager (chrome://extensions or edge://extensions) and remove any suspicious VPN, Proxy, or Ad Guard extensions you did not intentionally install.
2. For extensions you wish to keep, click Details → Permissions and restrict any that request to "Read and change all your data on all websites" unless absolutely necessary.
3. Conduct sensitive AI chats in an Incognito or Private window where extensions are disabled by default, or use a separate browser profile with no extensions installed.

For Enterprises (Policy-Level Control):

1. Use Group Policy (GPO) to enforce an extension whitelist, blocking all others by default. The following snippet for Chrome demonstrates this approach:

Computer Configuration > Administrative Templates > Google > Google Chrome > Extensions
ExtensionInstallAllowlist = abc123@widgets.com, def456@corpdev.com
ExtensionInstallBlocklist = * (wildcard)

2. Deploy this policy via GPO to prevent user overrides. Supplement this by configuring network firewalls or proxies to block and alert on traffic to known malicious domains like analytics.urban-vpn.com.

Key Statistics

• 8.2 Million Installations: The total number of users affected across all eight extensions.
• Always-On Data collection: The harvesting script was active by default and could not be disabled by the user.
• VPN Status Irrelevant: Data was exfiltrated even when the VPN connection itself was turned off.