Since the breakout moment of large language models that powered chatbots, people have rapidly made them the default place to ask almost anything.
Users now turn to AI assistants for medical questions, financial guidance, relationship advice, legal explanations, coding help, and deeply personal reflections that they might hesitate to share elsewhere. This shift has been both visible and profound: AI chat interfaces have evolved into informal confessional spaces, productivity tools, and decision aids all at once.
As this behavior has gone mainstream, it has also created an incredibly valuable new stream of data: one that companies are increasingly eager to observe, analyze, and monetize.
That growing appetite for AI conversation data is what makes a recent security investigation especially alarming.
And this time, security researcher Idan Dardikman from Koi Security, has uncovered that a group of widely installed browser extensions, led by Urban VPN Proxy, has been quietly collecting and monetizing users’ private conversations with AI chatbots, including ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek. Grok, and Meta AI.
Urban VPN Proxy alone has more than six million users on the Chrome Web Store and carries a prominent “Featured” badge, a signal many users interpret as an endorsement of quality and safety.
Marketed as a free VPN designed to protect identity and hide IP addresses, the extension instead introduced a major behavioral change in July 2025.
With the release of version 5.5.0, new code was silently added that enabled AI conversation harvesting by default, without any clear user-facing notice or opt-out controls.
According to findings from Koi Security, the extension injects custom JavaScript “executor” scripts whenever a user visits supported AI platforms.
These scripts hook directly into core browser networking functions such as fetch() and XMLHttpRequest(), allowing the extension to intercept every prompt sent to an AI model and every response returned. The captured data includes full conversation text, timestamps, session identifiers, and information about which AI platform and model were used.
Once collected, this information is transmitted to Urban VPN–controlled servers for processing.
An making things worse, the data it gathers include raw data. What this means, whatever interactions users have with their chosen chatbots, is sent without anonymization.
Crucially, this data collection runs continuously in the background.
It does not depend on whether the VPN is enabled, whether optional "AI protection" features are turned on, or whether the user is actively interacting with the extension.
The only way to stop the collection is to uninstall the extension entirely. Because browser extensions update automatically, many users who originally installed Urban VPN for basic VPN functionality woke up to a very different product without ever explicitly consenting to the new behavior.
Urban VPN’s updated privacy policy does disclose that AI prompts and outputs are collected as part of "web browsing data" and used for analytics and marketing purposes, with claims that the data is filtered and de-identified.
However, researchers point out that this disclosure is buried deep in legal language and contradicts simpler claims on extension store pages stating that user data is not sold to third parties.
Complicating matters further, Urban VPN is operated by Urban Cyber Security Inc., which is affiliated with BiScience, a data analytics and advertising intelligence company known for monetizing large-scale browsing data.
The investigation didn’t stop with a single extension.
Koi Security identified the same AI conversation harvesting code across several other extensions from the same publisher, including 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker.
Combined, these extensions affect more than eight million users across Chrome and Microsoft Edge. Most of them also carry “Featured” badges, reinforcing the perception that they meet high standards for safety and transparency.
What makes this incident particularly concerning is the nature of the data being captured.
AI chatbots are increasingly used for conversations that reveal intent, vulnerability, and private context, far beyond what traditional browsing data exposes. Unlike search queries or social posts, AI prompts often contain unfiltered thoughts, unfinished ideas, and sensitive disclosures.
The systematic harvesting of this information underscores how the rise of conversational AI has created a new surveillance surface that many users don’t yet fully understand.
The case highlights a broader problem with browser extension ecosystems.
Trust signals like star ratings, large install counts, and platform “Featured” badges are not guarantees of ethical data practices. As AI becomes a central interface for thinking, planning, and asking for help, any tool positioned between users and their AI assistants becomes extraordinarily powerful.
For users who have installed any of the affected extensions, the guidance from researchers is unambiguous: uninstall them immediately and assume that any AI conversations since July 2025 may have been captured and shared.
More broadly, this episode serves as a reminder that AI assistants are not private spaces by default, and that in an era where asking AI "anything" has become normal, guarding how and where those questions are transmitted matters more than ever.