Back to articles

Urban VPN review: how a "Featured" Chrome extension harvested 8 million users' AI chats

Urban VPN Proxy secretly harvested ChatGPT, Claude, and Gemini chats from 8M users. A separate campaign hit 900K users in 20K+ enterprise tenants.

Maxim Kosterin
9 min read

TL;DR

  • Urban VPN Proxy (6M Chrome users, 4.7 stars, Google "Featured" badge) secretly harvested conversations from ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, Grok, and Meta AI
  • The AI chat collection was silently added in version 5.5.0 (July 2025) — existing users got it through auto-update with no opt-out
  • All four Urban VPN-linked extensions were removed from the Chrome Web Store in December 2025
  • March 2026 update: A separate campaign using two fake AI extensions stole ChatGPT and DeepSeek chats from 900K users across 20K+ enterprise tenants (OX Security / Microsoft Defender) — see the incident response playbook for enterprise remediation steps
  • If you used Urban VPN after July 9, 2025 or either AITOPIA-impersonating extension: assume your AI conversations were collected

A VPN that reads your AI chats

You install a VPN extension to protect your privacy. It has 6 million users, a 4.7-star rating, and Google's own "Featured" badge. Sounds safe, right?

Not if it's Urban VPN Proxy.

In December 2025, security researchers discovered that Urban VPN had been silently intercepting conversations from eight major AI platforms — ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok, and Meta AI. According to Malwarebytes, the harvesting had been running since version 5.5.0, pushed to users on July 9, 2025.

That means anyone who had the extension installed got the update automatically. No notification. No consent prompt. Just a silent code push that turned a "privacy tool" into a data collection pipeline.

What Urban VPN actually did

The extension's AI harvesting operated independently of the VPN functionality itself. Whether or not you had the VPN connected, the data collection ran in the background.

Here's how it worked, according to The Register: Urban VPN monitored your browser tabs and injected executor scripts into targeted AI platform pages. These scripts — named specifically for each platform (chatgpt.js, claude.js, gemini.js, etc.) — overrode the browser's fetch() and XMLHttpRequest functions. Every network request and response on those AI pages passed through the extension's code first.

That means every prompt you typed, every response you received, every conversation thread — all of it was intercepted and sent to Urban VPN's servers.

The Chrome Web Store listing at the time stated that data was "not being sold to third parties outside approved use cases." It made no mention of AI conversation collection specifically. The harvesting was controlled by hardcoded flags in the code — there was no user-facing toggle to disable it.

This is the part that really stings. Google's "Featured" badge isn't automatic — it requires a human reviewer at Google to evaluate the extension and determine it meets their quality and trust standards.

Urban VPN had that badge.

According to reporting by The Register, a human at Google reviewed Urban VPN and concluded it met their standards. Yet the extension was able to push a silent update introducing mass AI conversation harvesting — and the badge stayed in place.

This isn't just an Urban VPN problem. It's a fundamental gap in how the Chrome Web Store evaluates extensions over time. The initial review catches what's in the code at submission. But what happens when a trusted extension pushes a malicious update months later? Apparently, not much.

If you've been relying on the "Featured" badge as a trust signal, this case should make you reconsider. It's a useful starting point, but it's not a guarantee.

It wasn't just one extension

Urban VPN Proxy wasn't alone. According to The Hacker News, three other extensions by the same publisher — 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker — included the same AI harvesting functionality. The combined user base across all four extensions reached approximately 8 million.

All four extensions were removed from the Chrome Web Store as of December 18, 2025. The Edge add-ons versions were removed by December 23, 2025, according to Malwarebytes.

Urban Cybersecurity, the publisher, has not publicly responded to these findings as of the time of writing.

Update: a second AI chat-harvesting campaign hit 900K users and 20K+ enterprise tenants

Urban VPN wasn't the only campaign harvesting AI conversations. In January 2026, security researchers at OX Security identified two Chrome extensions posing as AI productivity tools that had collectively harvested ChatGPT and DeepSeek chat histories from nearly 900,000 users:

  • "Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI" — approximately 600,000 installs
  • "AI Sidebar with Deepseek, ChatGPT, Claude, and more" — approximately 300,000 installs

Both extensions impersonated AITOPIA, a legitimate AI sidebar tool, copying its branding, product description, and UI. Like Urban VPN, one of these extensions also carried a Chrome Web Store "Featured" badge at the time of discovery.

The technical approach was different from Urban VPN's fetch/XHR interception. These extensions used DOM scraping — targeting specific HTML elements on ChatGPT and DeepSeek pages that contain conversation text. Every 30 minutes, the extensions packaged whatever chat content they'd collected and transmitted it to attacker-controlled servers at chatsaigpt.com and deepaichats.com. According to Moshe Siman Tov Bustan of OX Security, the extensions requested consent for "anonymous, non-identifiable analytics data" while actually exfiltrating complete conversation content.

The enterprise impact was significant. Microsoft Defender's telemetry, detailed in a March 2026 Microsoft Security Blog report, confirmed the two extensions had reached across more than 20,000 enterprise tenants. As the Microsoft Security Research Team put it: "The campaign highlights the growing risk of data exposure through browser extensions."

That's 20,000 organizations where employees were feeding sensitive proprietary content — code reviews, strategic planning, HR discussions, financial projections — into AI tools, and having those conversations silently exfiltrated. The timing was especially damaging: this campaign ran during the period of peak AI tool adoption in enterprise environments, when organizations were actively pushing employees to use AI assistants for productivity.

Who's affected and what to do

If you installed Urban VPN Proxy, 1ClickVPN Proxy, Urban Browser Guard, or Urban Ad Blocker at any point after July 9, 2025, you should assume that any AI conversations you had while the extension was active were collected and potentially shared with third parties. The same applies if you installed either of the two AITOPIA-impersonating extensions described above — your ChatGPT and DeepSeek conversations may have been exfiltrated.

Here's what to do right now:

  1. Remove the extension — open chrome://extensions/ (or edge://extensions/) and delete it immediately. Even though it's delisted from stores, it may still be installed on your browser.
  2. Check your other extensions — use Extenshi's catalog to scan what's still installed. Look for extensions requesting broad permissions they shouldn't need.
  3. Rotate sensitive credentials — if you shared passwords, API keys, or other secrets in AI conversations while Urban VPN was active, change them now.
  4. Review AI conversation history — check your ChatGPT, Claude, or Gemini history. If you discussed anything sensitive (financial data, medical info, proprietary code), consider what exposure that creates.
  5. Be skeptical of free VPN extensions — free VPN services need revenue from somewhere. If they're not charging you, your data is often the product.

Safer VPN alternatives for your browser

Look, I get it — VPN extensions are convenient. But after Urban VPN, you need to be much pickier about which ones you trust.

Here's what to look for: a paid VPN from a company with a verified no-logs policy, independent security audits, and a track record of transparency. Free VPN extensions are overwhelmingly problematic — multiple studies have found that free VPN providers frequently collect and sell browsing data, which defeats the entire purpose.

A few options that have passed independent audits:

  • NordVPN — offers a browser extension with audited no-logs claims and WebRTC leak protection
  • Surfshark — includes CleanWeb ad/tracker blocking in the extension and has been independently audited
  • ProtonVPN — Swiss-based, open-source apps, and a strict no-logs policy (the free tier is limited but doesn't harvest data)

You can also skip VPN extensions entirely and use a standalone VPN app, which encrypts all your traffic at the system level instead of just the browser. Or consider browsers with built-in VPN support like Opera or Vivaldi (which recently integrated Proton VPN).

Whatever you choose, check the extension's security profile on Extenshi before you install. Permissions, update history, and data access patterns can tell you a lot about whether a "privacy" tool actually protects your privacy.

The bigger picture

Urban VPN isn't an isolated case — and the OX Security campaign proves it. Two entirely separate operations, using different techniques (fetch/XHR interception vs. DOM scraping), both targeting the same prize: AI conversation histories. Together, they affected nearly 9 million users across tens of thousands of enterprise organizations. It fits a growing pattern: extensions that market themselves as privacy or productivity tools turning out to be data collection pipelines.

The common thread? Extensions get trust through user count and store badges, then silently introduce data collection through updates. The Chrome Web Store's review process catches threats at the front door but barely monitors what happens after an extension is approved.

Until browser stores implement continuous behavioral monitoring — scanning what extensions actually do after installation, not just during review — users need to stay vigilant. Check your extensions regularly. Question permissions that seem too broad. And don't assume that a high rating or a "Featured" badge means an extension is safe.

See the full security report →


This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].

Related Articles