Browser extensions that promise privacy are found to be selling AI conversations from millions of users. Security researchers at Koi Security discovered that popular VPN and ad blocker extensions are secretly intercepting all conversations with ChatGPT, Claude, and Gemini and reselling them to data brokers.
Security researcher Idan Dardikman discovered the problem after wondering if anyone could read his private conversations with AI assistants. Urban VPN Proxy, a Chrome extension with 6 million users and a “Featured” badge from Google, turned out to be one of the culprits.
The extension intercepts conversations from ten AI platforms, including ChatGPT, Claude, Gemini, Microsoft Copilot, and Perplexity. For each platform, the extension uses a special script that captures all prompts and responses before they even appear on the screen. Users cannot disable this; only removing the extension stops the spying.
Selling under the guise of protection
Urban VPN presents AI monitoring as a security feature. The extension is supposed to warn users when they share personal data with ChatGPT. But the code shows something else, Dardikman discovered. The collection takes place regardless of whether those warnings are turned on or off. And while users are warned against sharing an email address with ChatGPT, the extension sends that same conversation to its own servers.
The data goes to Urban Cyber Security Inc., affiliated with BiScience, a data broker. The collection practices are not new: security researchers had previously targeted BiScience for selling browsing history.
The extensions added the AI interception in version 5.5.0 on July 9, 2025. Users who installed the extension before that date received a silent update without a new consent request. Anyone who has used ChatGPT, Claude, or Gemini with Urban VPN since July should assume that those conversations have been sold.
A total of 8 million affected
The problem is not limited to Urban VPN. The same code is found in seven other extensions from the same publisher, spread across Chrome and Edge. In total, more than 8 million people have installed one of these extensions: Urban VPN Proxy (6 million Chrome, 1.3 million Edge), 1ClickVPN Proxy (600,000 Chrome, 36,000 Edge), Urban Browser Guard (40,000 Chrome, 12,000 Edge), and Urban Ad Blocker (10,000 Chrome, 6,000 Edge).
Almost all of these extensions carry a “Featured” badge. According to Google, this badge means that the extension has been manually reviewed and meets high quality standards. Nevertheless, the extension is being scrutinized by Google’s own AI product Gemini. Microsoft also allowed Urban VPN into its Edge store with “Featured” status.
Unclear terms and conditions
The Chrome Web Store page states that data “is not sold to third parties, except for approved uses.” The privacy statement says something else: “We pass on the AI prompts for marketing analysis purposes.” This contradiction makes it impossible for users to know where they stand.
Users who have any of the aforementioned extensions should remove them immediately, according to Dardikman. All AI conversations since July 2025 have likely been shared with third parties: medical questions, financial details, company code, personal dilemmas.
At the time of writing, the extensions remain active in the Chrome Web Store and Microsoft Edge Add-ons, despite the fact that Google’s policy explicitly prohibits the sale of user data to data brokers. The Chrome policy states that extensions may not transfer data to “advertising parties, data brokers, or other information sellers.”
For those who still want to use a VPN extension, the Koi researcher offers some advice. He says: choose a well-known, paid service with independent audits and a clear no-logs policy. Free services often finance themselves by collecting data or injecting advertisements.
Read also: OpenAI sees API data leak via Mixpanel hack