The Dark Side of Urban VPN Proxy: A Cautionary Tale of Trust and Data Privacy
A Trusted Tool, Recast in Silence
For years, Urban VPN Proxy was celebrated as a reliable browser extension, positioned comfortably within the vast ecosystem of online privacy tools. Marketed as a “free tool to hide your IP” and “protect your online identity,” it became a trusted companion to millions—over six million users on Google Chrome and more than a million on Microsoft Edge. The widely recognized “Featured” badge further bolstered its credibility, serving as an implicit endorsement from the platforms that housed it.
However, what once exemplified trust has morphed into a cautionary tale about digital privacy. According to recent findings published by Koi Security, a pivotal update in July 2025 dramatically altered the extension’s functionality. This transformation occurred with minimal user awareness and no explicit consent. Unbeknownst to its users, Urban VPN began to covertly capture every interaction users had with popular AI chatbots. This included not only the prompts individuals typed but also the AI-generated responses from services like OpenAI’s ChatGPT, Anthropic’s Claude, and many others.
How AI Conversations Were Intercepted
The technical prowess behind this data collection was both sophisticated and alarming. Koi Security’s investigations revealed that Urban VPN injected custom JavaScript files—such as chatgpt.js, claude.js, and gemini.js—when users accessed AI platforms. These scripts effectively hijacked browser network requests, overriding standard functionalities like fetch() and XMLHttpRequest(), allowing the extension to siphon off entire interactions.
As users interacted with AI, every detail was meticulously captured: from user prompts and chatbot responses to timestamps and session metadata. This extensive data trove was then transmitted to remote servers managed by the extension’s developers, raising serious questions about user autonomy and consent. Compounding the concern, Koi Security identified the same data-harvesting mechanism in three other extensions from the same publisher, alongside Urban VPN, bringing the total number of affected users to over eight million across Chrome and Edge.
“AI Protection” and the Data Economy Behind It
In its public listing, Urban VPN touted an “AI protection” feature that claimed to scan user prompts for potentially sensitive information before submission. However, researchers argue that this framing is merely a distraction from the more troubling reality: monitoring was occurring regardless of whether users opted into this safety feature.
Idan Dardikman, a researcher at Koi Security, elaborated on this paradox, noting that the extension warned users against sharing sensitive data while simultaneously exfiltrating their conversations. Among the recipients of this harvested data was BIScience, an affiliated advertising firm that utilized RAW, non-anonymized user data to create insights for commercial purposes—a practice that many privacy advocates would deem unethical.
BIScience, which also owns Urban Cyber Security Inc., has previously come under scrutiny for its opaque data collection practices. Investigators have highlighted that the company provided development kits to third-party developers to collect browsing data disguised as legitimate functionality.
Badges, Blind Spots, and Platform Trust
Perhaps the most unsettling aspect of this entire episode is the ease with which Urban VPN scaled its data collection efforts. Aside from one listing on Edge, all the extensions bore “Featured” badges—indicators of higher scrutiny and quality assurance from the platforms.
As Dardikman noted, “These badges are the difference between installing an extension and passing it by.” They serve as a silent endorsement and a powerful motivator for users who may be unaware of the potential pitfalls.
This incident underscores a broader vulnerability within browser marketplaces. Existing policies often permit access to browsing data under vaguely defined “approved use cases.” By tying expansive data collection practices to ostensibly benign features—like AI safety warnings or ad blocking—developers can argue that sweeping permissions are justified in the name of user security.
As society becomes more reliant on browser extensions and AI technologies, the need for rigorous oversight and user education becomes increasingly urgent. The Urban VPN situation serves as a critical reminder of the trust we place in digital tools and the ongoing battle for transparency in the era of the extension economy.
