Full Report
A Google Chrome extension with a "Featured" badge and six million users has been observed silently gathering every prompt entered by users into artificial intelligence (AI)-powered chatbots like OpenAI ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Meta AI, and Perplexity. The extension in question is Urban VPN Proxy, which has a 4.7 rating on the Google Chrome
Analysis Summary
# Incident Report: Covert AI Chat Interception via Chrome Extension
## Executive Summary
The widely used Chrome extension "Urban VPN Proxy" (6 million users) was discovered to be silently harvesting all user inputs (prompts) and outputs from popular AI chatbots, including ChatGPT, Claude, and Gemini. This data harvesting was enabled via an automatic update to version 5.5.0 on July 9, 2025, by modifying the extension's JavaScript to intercept and exfiltrate conversational data to remote servers controlled by the developer's affiliated parent company.
## Incident Details
- **Discovery Date:** December 15, 2025 (Date of published report)
- **Incident Date:** Data collection was enabled starting July 9, 2025, with the release of version 5.5.0.
- **Affected Organization:** Urban Cyber Security Inc. (Developer)
- **Sector:** Software/Browser Extensions, VPN Services
- **Geography:** Delaware (Developer location); Global (Users)
## Timeline of Events
### Initial Access
- **Date/Time:** July 9, 2025
- **Vector:** Legitimate Software Distribution Channel / Software Update Mechanism
- **Details:** Version 5.5.0 of the Urban VPN Proxy extension was released, which included hard-coded settings to activate the AI data harvesting functionality by default.
### Lateral Movement
* Not directly applicable in the traditional sense, as the extension operated within the user's browser sandbox and communicated externally to attacker-controlled servers, not internally across the victim's corporate network.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing starting July 9, 2025
- **Vector:** Overriding browser networking APIs (`fetch()` and `XMLHttpRequest()`).
- **Details:** The extension injected a tailored executor JavaScript (`chatgpt.js`, `claude.js`, etc.) specifically designed to intercept all user prompts and AI chatbot responses during active sessions, including conversation identifiers, timestamps, and session metadata. This data was exfiltrated to two remote servers: `analytics.urban-vpn[.]com` and `stats.urban-vpn[.]com`.
### Detection & Response
- **Detection:** The malicious behavior was discovered and publicly reported by Koi Security (Idan Dardikman). (Exact date of detection by the researchers is not specified, only the report date.)
- **Response Actions:** The article does not detail specific external remediation actions taken by Google or regulatory bodies, but the publication of the findings serves as a public alert.
## Attack Methodology
The methodology primarily involved **Supply Chain Compromise** through a trusted software distribution platform (Chrome Web Store).
- **Initial Access:** Releasing a malicious update (v5.5.0) via the legitimate extension update channel.
- **Persistence:** Achieved via the auto-update nature of Chrome/Edge extensions, ensuring the malicious code (hard-coded settings) remained active on millions of endpoints.
- **Privilege Escalation:** Not applicable; the extension already possessed the necessary browser permissions.
- **Defense Evasion:** The code was silently injected through an update, bypassing initial user scrutiny. The stated purpose (VPN) provided cover for the high level of access required.
- **Collection:** Injection of customized JavaScript executors to hook into and override core browser networking APIs (`fetch`, `XMLHttpRequest`).
- **Exfiltration:** Data routed to two specific remote domains owned by the developer entity.
- **Impact:** Massive collection of sensitive user interactions with proprietary AI models.
## Impact Assessment
- **Financial:** Not quantified in the source material.
- **Data Breach:** High volume of sensitive user-inputted data collected across multiple major AI platforms (ChatGPT, Gemini, Claude, etc.). Data included user prompts, AI responses, and session metadata. The developer's affiliated company, BIScience, was known to process raw, unanonymized data for commercial sharing.
- **Operational:** No operational disruption to the developer's or users' systems, but severe operational risk due to data exposure.
- **Reputational:** Significant damage to the trust placed in browser extensions, especially those used for security functions like VPNs, and the featured extensions program on official stores.
## Indicators of Compromise
- **Network Indicators (Defanged):**
- `analytics.urban-vpn[.]com`
- `stats.urban-vpn[.]com`
- **File Indicators:**
- Custom JavaScript executors targeting AI chat sessions (e.g., `chatgpt.js`, `claude.js`, `gemini.js`).
- **Behavioral Indicators:**
- Overriding browser networking APIs (`fetch`, `XMLHttpRequest`) on known AI chatbot domain URLs.
- Unsolicited transmission of POST/GET data containing conversational text to non-standard domains associated with the extension developer.
## Response Actions
*The article primarily focuses on the discovery and technical details rather than the coordinated cleanup.*
- **Containment measures:** (Implied) Users would need to uninstall the extension and possibly review browser performance/network logs.
- **Eradication steps:** (Implied) Removal of the malicious version by platform vendors (Google/Microsoft).
- **Recovery actions:** (Implied) Users must reassess trust in any extension, regardless of rating or "Featured" status.
## Lessons Learned
1. **Trusting Permissions and Badges is Dangerous:** A high rating (4.7) and a "Featured" badge on the Chrome Web Store provided a false sense of security; the extension misused legitimate access granted for VPN functionality.
2. **Automatic Updates are a Critical Risk Surface:** Auto-updates allowed attackers to rapidly deploy malicious code to millions of users without requiring explicit re-consent for the new, unauthorized functionality.
3. **Privacy Policy Obfuscation:** The developer updated the privacy policy months in advance (June 25, 2025) to mention AI data collection, suggesting premeditation, even if framed under "de-identified" or "marketing analytics." However, the reality indicated raw, identifiable data collection was shared with an affiliated entity (BIScience).
## Recommendations
1. **Aggressive Zero-Trust for Extensions:** Users should manually review and approve large extension updates, especially for extensions that operate with broad network access.
2. **Enhanced Platform Vetting:** Browser vendors (Google/Microsoft) must increase real-time scrutiny of post-installation code changes in high-user-count extensions, particularly those that manipulate core browser APIs.
3. **Data Flow Monitoring:** Organizations should monitor outbound employee traffic for suspicious data transmission originating from browser sandboxes, looking for unusual exfiltration patterns involving conversational data.