Full Report
This is pretty scary: Urban VPN Proxy targets conversations across ten AI platforms: ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok (xAI), Meta AI. For each platform, the extension includes a dedicated “executor” script designed to intercept and capture conversations. The harvesting is enabled by default through hardcoded flags in the extension’s configuration. There is no user-facing toggle to disable this. The only way to stop the data collection is to uninstall the extension entirely. […] The data collection operates independently of the VPN functionality. Whether the VPN is connected or not, the harvesting runs continuously in the background...
Analysis Summary
# Incident Report: Covert AI Conversation Interception via Urban VPN Browser Extension
## Executive Summary
The Urban VPN Proxy browser extension was discovered to contain malicious functionality designed to surreptitiously intercept and harvest user conversations across ten major AI platforms, including ChatGPT, Gemini, and Copilot. The data collection mechanism was hardcoded, enabled by default, and operated continuously independent of the VPN connection status, representing a severe privacy violation and potential data theft operation. The compromise mechanism was via the installation of the malicious browser extension itself.
## Incident Details
- **Discovery Date:** December 19, 2025 (Based on linked article date)
- **Incident Date:** Pre-installation/Ongoing (The vulnerability/functionality existed as long as the extension was installed)
- **Affected Organization:** Urban VPN Proxy (Vendor/Distributor of the malicious software)
- **Sector:** Software/Browser Extensions, Cybersecurity, AI Services
- **Geography:** Global (Affecting any user who installed the extension)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown (Corresponds to the moment a user installed the malicious extension)
- **Vector:** Malicious Browser Extension Installation.
- **Details:** Users were tricked into installing the Urban VPN Proxy extension, which contained hidden code designed for data harvesting.
### Lateral Movement
- **Details:** Not applicable to traditional network lateral movement. The compromise was confined to the user's browser session interacting with the specified AI websites via the extension’s execution scripts.
### Data Exfiltration/Impact
- **Details:** The extension executed dedicated "executor" scripts for each targeted AI platform (ChatGPT, Claude, Gemini, Copilot, etc.). These scripts captured:
* Every user prompt sent to the AI.
* Every AI response received.
* Conversation identifiers, timestamps, and session metadata.
* The specific AI platform and model used.
### Detection & Response
- **Detection:** The malicious functionality was exposed and publicly disclosed by security researchers (referenced via the KOI AI link).
- **Response Actions:** The only remediation action mentioned is the complete uninstallation of the browser extension by the user. (No centralized response/patching information is provided).
## Attack Methodology
- **Initial Access:** Supply Chain compromise via a seemingly legitimate, high-utility browser extension (VPN/Proxy).
- **Persistence:** The malicious harvesting was hardcoded and enabled by default, running continuously in the background regardless of the VPN switch state.
- **Privilege Escalation:** Not applicable in the traditional sense; the extension operated with the permissions granted during its installation within the browser sandbox, allowing DOM/network monitoring.
- **Defense Evasion:** The data collection was hidden inside the extension's configuration using hardcoded flags, circumventing user awareness and offering no visible control (no user-facing toggle to disable harvesting).
- **Credential Access:** Not explicitly stated, but capturing sensitive session metadata could facilitate future attacks.
- **Discovery:** Implicit within the extension's operational scope targeting known AI interfaces.
- **Lateral Movement:** Not applicable.
- **Collection:** Dedicated "executor" scripts were embedded for each of the ten targeted AI platforms to intercept interaction data directly from the browser context.
- **Exfiltration:** Implied, as data was "captured," suggesting transmission to an external controller server (though the destination is not detailed in the summary).
- **Impact:** Privacy violation and theft of proprietary or sensitive user inputs/outputs from secure AI sessions.
## Impact Assessment
- **Financial:** Unknown, tied to potential misuse of stolen proprietary data or user secrets.
- **Data Breach:** High sensitivity PII/PHI/IP potentially captured through user prompts across ten major AI services. Volume is determined by the duration of extension use.
- **Operational:** Disruption to user workflows due to compromised security posture; loss of trust in widely used software tools.
- **Reputational:** Significant reputational damage to the Urban VPN Proxy service and potential secondary impact on trust in browser extension security generally.
## Indicators of Compromise
- **Network Indicators (Defanged):** Contact with unknown C2 infrastructure associated with data transmission from the browser environment.
- **File Indicators:** Presence of dedicated "executor" JavaScript files specifically targeting AI platform URLs (e.g., `chatgpt.com`, `gemini.google.com`, etc.) within the extension source code.
- **Behavioral Indicators:** Continuous background activity in the browser, independent of VPN connection status, relating to AI website traffic interception.
## Response Actions
- **Containment Measures:** Immediate uninstallation of the Urban VPN Proxy extension by affected users. Blocking network access to any identified exfiltration domains at the firewall/proxy level (if identified).
- **Eradication Steps:** Complete removal of the extension from all affected user environments.
- **Recovery Actions:** Users must review and potentially reset access to accounts connected to the AI services they used while the extension was active.
## Lessons Learned
* **Trust Boundary Violation:** Free, high-utility software (like VPNs) can serve as a powerful vector for data harvesting if users prioritize convenience over vetting security.
* **Visibility is Key:** The lack of a user-facing control to disable the core malicious function meant the software was performing unauthorized actions continuously and invisibly.
* **AI Platform Sensitivity:** AI interfaces are a high-value target; compromises here capture evolving IP and sensitive queries.
## Recommendations
* **Stringent Extension Vetting:** Organizations must implement policies restricting the installation of non-essential browser extensions, especially those requiring broad network access permissions.
* **Runtime Monitoring:** Implement browser-level security monitoring to detect extensions performing unexpected network callbacks or DOM manipulation that is not justified by their primary function.
* **Zero Trust for Trust Assets:** Treat inputs to third-party high-value services (like major LLMs) as sensitive data, regardless of the perceived security of ancillary software used during interaction.