Behind the Mask: How a Popular VPN Extension Turned into a Data-Harvesting Machine

For years, browser VPN extensions have been marketed as digital shields - simple add-ons promising to keep your online life private and secure. But a recent exposé has upended that narrative, shining a spotlight on Urban VPN Proxy, a Chrome and Edge extension with over six million installations and a near-perfect user rating. What users didn’t know: the extension was silently intercepting their conversations with AI chatbots, funneling sensitive data far beyond their screens.

The story broke when Koi Security researchers flagged suspicious behavior in Urban VPN Proxy. After a routine update in July 2025, the extension began injecting hidden JavaScript code into web pages that hosted AI chatbots - ChatGPT, Claude, Copilot, and others. This code replaced standard browser network functions, rerouting all chatbot interactions through the extension’s own filters. The result? Everything users typed or received was extracted and sent to analytics.urban-vpn[.]com and stats.urban-vpn[.]com for further analysis.

The scope of the data leak is staggering. Beyond the chat content itself, Urban VPN Proxy scooped up conversation IDs, timestamps, and technical metadata - enough to reconstruct a detailed map of user interactions. While Urban VPN’s updated privacy policy mentions data collection for “safe browsing” and marketing analytics, it admits that stripping sensitive information from queries isn’t always possible. In other words, what you told your chatbot could have ended up in the hands of third-party marketers.

Digging deeper, the investigation found that Urban VPN’s parent company, Urban Cyber Security Inc., is connected to BIScience, a firm specializing in advertising analytics. BIScience, according to Urban VPN’s own documentation, may use non-anonymized data to generate commercial insights, which are then shared with business partners. This raises urgent questions about how much user privacy is actually protected - and who stands to profit from your supposedly private conversations.

Even more troubling: three other extensions from the same publisher - 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker - were found to employ similar AI-powered data interception methods. Combined, these extensions have over eight million installations, many marked as “Featured” by browser platforms, implying an extra layer of trust and scrutiny that now appears misplaced.

While Urban VPN Proxy promotes its AI-based protection against suspicious links and personal data leaks, Koi Security’s analysis showed that the extension harvested conversations regardless of user settings. As of this writing, Google and Microsoft have yet to comment on the findings.

For users, the lesson is clear: not all privacy tools are created equal. In an era where browser extensions can transform from guardians to spies overnight, vigilance and skepticism are your best defense. The next time you install a “trusted” VPN extension, remember - sometimes, the biggest threats wear the mask of security.

WIKICROOK

• Browser Extension: A browser extension is a small add-on that enhances browser features but can also be misused by hackers to steal data or spy on users.
• VPN (Virtual Private Network): A VPN encrypts your internet connection and hides your IP address, providing extra privacy and security when browsing online or using public Wi-Fi.
• JavaScript Injection: JavaScript injection is a hacking method where attackers insert malicious code into web apps to steal data, hijack sessions, or alter content.
• Metadata: Metadata is hidden information attached to digital files, like photos or ads, containing details such as creation date, author, or device used.
• Anonymization: Anonymization removes or alters personal identifiers in data to protect privacy, but may not fully prevent re-identification when combined with other datasets.