According to Futurism, a security investigation has revealed that the “Urban VPN Proxy” extension, with over six million users and a “featured” badge on the Google Chrome Web Store, is secretly harvesting private conversations from AI platforms like ChatGPT, Claude, Gemini, DeepSeek, and Grok. The extension, made by Urban Cyber Security Inc., uses hidden scripts to intercept and capture all chatbot data, including medical questions, financial details, and proprietary code, regardless of whether the VPN is active. This data is then shared with an affiliated data broker called BiScience, which sells it for “marketing analytics purposes.” The harvesting script is enabled by default with no user-facing toggle to disable it; the only way to stop the collection is to completely uninstall the extension. Furthermore, the same publisher has at least seven other apps with identical functionality, impacting over two million additional users. Security researchers warn that any AI conversations held since July 2025 with these extensions installed have likely been captured and sold.
The Free VPN Trap
Here’s the thing: we all know the old saying about free services. If you’re not paying for the product, you are the product. But this Urban VPN case takes that to a terrifying new level. It’s not just serving you ads based on your browsing history. It’s actively eavesdropping on what you might consider your most private digital conversations—your therapy sessions with an AI, your brainstorming for a business idea, that proprietary code snippet you asked ChatGPT to debug. The extension’s own privacy policy basically admits to this, stating it shares “Web Browsing Data” with BiScience. So, legally, they’ve covered themselves. Ethically? It’s a nightmare.
Google’s Featured Problem
Now, this is where it gets really frustrating for users. This extension, and most of its siblings, carry Google’s own “featured” badge on the Chrome Web Store. That badge is supposed to signal trust, quality, and adherence to Google’s policies. But the extension’s store page claims user data is “not being sold to third parties, outside of the approved use cases.” Seems like sharing everything with a data broker is their “approved use case.” So what does that badge actually mean? It feels like a massive failure in oversight. Google’s platform gave this thing a seal of approval while it was vacuuming up the most sensitive data imaginable from millions of people. That’s a huge breach of trust.
A Wider Data Broker Economy
Let’s talk business model. Urban Cyber Security Inc. isn’t some shadowy hacking group. It’s a company with a published privacy policy and a clear revenue stream: your intimate conversations. They’re packaging raw, unfiltered AI chat logs and selling them as “insights.” Think about the market for that. Who’s buying “marketing analytics” that consist of people’s personal dilemmas and health questions? The potential for misuse is staggering. And Koi’s research, detailed on their blog, suggests this is probably just the tip of the iceberg. If one company is doing it this brazenly, how many others are?
What You Can Do Now
So, what’s the takeaway? First, if you have Urban VPN Proxy or any other extension from this publisher, uninstall it immediately. Like, right now. Second, start auditing your other browser extensions, especially free ones. Check their privacy policies for vague terms about “data sharing with affiliates” or “analytics.” Third, have a sobering thought about where you conduct sensitive conversations. Your browser, laden with extensions, might be the leakiest place possible. This incident is a brutal reminder that in the digital world, privacy is never a default setting. You have to actively fight for it, and sometimes that means not trusting the shiny badges from the biggest tech companies in the world.
