What if the browser extension protecting your privacy was the one selling it?
Urban VPN Proxy, sporting Google's coveted "Featured" badge and trusted by over 6 million users, spent months harvesting complete AI conversations from ChatGPT, Claude, Gemini, and five other platforms. The kicker? It simultaneously displayed warnings about sharing sensitive data with AI companies.
The betrayal went live on July 9, 2025 via automatic update version 5.5.0. No user notification. No consent dialog. Users simply woke up with malicious code silently injecting itself into every AI platform they visited.
The Technical Heist
Urban's parent company BiScience deployed surgical precision:
- Platform-specific scripts (chatgpt.js, claude.js, gemini.js) for each AI service
- API overrides hijacking fetch() and XMLHttpRequest() calls
- Complete data capture: prompts, responses, timestamps, conversation IDs, session metadata, model details
- Compressed exfiltration to analytics.urban-vpn.com and stats.urban-vpn.com
The harvesting ran continuously, independent of VPN status. Even when the extension warned users about AI privacy risks, it was packaging their conversations for sale.
<> "Extensions warning about AI data sharing with companies like OpenAI while exfiltrating entire conversations to data brokers" - Idan Dardikman, Koi Security/>
This wasn't some rogue developer. BiScience operates as a data broker, monetizing "re-identifiable clickstream data" through products like AdClarity and Clickstream OS. They've been in the surveillance business since 2009.
The Scale of Betrayal
8 million users across Chrome and Edge stores. Seven additional extensions from the same publisher - VPNs, ad blockers, security tools - all infected with similar harvesting capabilities.
Consider what people ask AI platforms: medical symptoms, financial planning, relationship advice, business strategies, creative projects. Hundreds of millions of these intimate conversations now sit in BiScience's databases, tagged with device IDs and behavioral metadata perfect for re-identification.
The technical sophistication suggests this wasn't opportunistic. BiScience watched the generative AI boom and saw dollar signs. Free VPN users became unwitting data sources for a much more valuable product: real-time AI interaction intelligence.
Google's Vetting Theater
Here's what stings: Urban VPN Proxy earned Google's "Featured" badge - supposedly indicating enhanced trust and safety. The extension maintained high ratings and operated for months post-infection.
Google's review process failed spectacularly. Either:
1. Automated systems can't detect sophisticated API hijacking
2. Human reviewers never tested extensions on AI platforms
3. Update reviews are essentially non-existent
Malwarebytes called this a "growing grey area" where disclosures technically exist but "defy user expectations." Translation: legal fine print covering illegal-feeling behavior.
Hot Take: The Free VPN Death Knell
This incident should kill the free VPN category entirely. The economics never made sense - how do you provide expensive infrastructure for free without monetizing users somehow?
Urban VPN's "privacy protection" was always theater. The real business model was surveillance arbitrage: promise privacy, deliver data harvesting, profit from the contradiction.
Developers building AI-integrated tools should study this attack vector obsessively. The technique - injecting platform-specific scripts via auto-updates - works because browser extensions operate with extraordinary privilege. They run in every tab, survive page reloads, and update silently.
Defense strategies:
- Audit extensions for script injection capabilities
- Disable auto-updates on sensitive workflows
- Monitor network traffic from extensions
- Prefer paid tools with transparent business models
BiScience turned 8 million privacy-conscious users into unwitting data sources. The real question isn't whether Google will improve vetting.
It's how many other "Featured" extensions are running similar schemes right now.
