An Israeli-American cybersecurity expert is warning that conversations users have with popular large language models are not secure. Koi says Google Chrome and Microsoft Edge extensions have been secretly harvesting this AI chatbot dialogue and selling it to advertisers.
The Washington, D.C. and Tel Aviv-based firm, founded by former members of Israeli intelligence organizations, revealed its alarming finding on its website and social media earlier this month.
“Our research team discovered that Urban VPN and seven related Edge and Chrome extensions have been harvesting complete conversations from ChatGPT, Claude, Gemini, Copilot, Perplexity, and more,” Koi explained, “and selling them to data brokers.”
The startup says the only way to prevent it is to uninstall immediately. This data harvesting runs continuously in the background regardless of whether the VPN is turned on or not.
More than seven million users have installed the Urban VPN Proxy browser extension because it is marketed as being free and effective. Furthermore, it has a 4.7-star rating among approximately 58,000 people and formerly had a “Featured” badge on the Google Chrome Web Store before Koi’s report was released. This increased its appeal to those who were unaware of its malicious activity.
It advertises itself as a digital tool that can protect your privacy and hide your IP address, but in reality it has been intruding on the privacy of users. The VPN’s latest update in July came with the concerning spyware-like features.
“Medical questions, financial details, proprietary code, personal dilemmas,” Koi elaborated, “all of it, sold for marketing analytics purposes.”
Koi has also warned that 1ClickVPN Proxy, Urban Browser Guard and Urban Ad Blocker are guilty of similar activity, though much less popular than Urban VPN.
“What makes this case notable isn’t just the scale – 8 million users – or the sensitivity of the data – complete AI conversations,” Koi concluded. “It’s that these extensions passed review, earned Featured badges, and remained live for months while harvesting some of the most personal data users generate online.”
Koi’s report drew a great deal of attention in mid-December, shining a harsh light on how even “Featured” browser extensions with millions of installs could quietly siphon off private AI chats for months without anyone noticing. Within days, Google yanked Urban VPN Proxy and the seven related extensions from the Chrome Web Store, cutting off new downloads and stripping away that misleading badge of trust.
Microsoft Edge followed suit shortly after, pulling them too. The sneaky data-harvesting code, slipped in back in July, got shut down for good on the store side, but not before exposing up to eight million users’ medical confessions, financial talks, and personal rants to data brokers.
It was a swift takedown that slowed the rate of future installs, though anyone who had been running those extensions since the summer time probably already had their conversations scooped up and sold off.
Read more: Cybersecurity guru ‘Armis’ raises US$435M in pre-IPO funding
One of many alarming findings
The Urban VPN scandal is just one piece of a worrying pattern Koi has been uncovering lately, underscoring how fragile our digital supply chains really are. Shortly after came Koi’s exposure of a malicious npm (node package manager) package called lotusbail that made itself appear to be a legit WhatsApp API (application programming interface) tool while secretly stealing messages, contacts, credentials, and even linking attackers’ devices for ongoing access. Lotusbail was downloaded more than 56,000 times.
Then, right around Christmas, Koi dug into the Trust Wallet Chrome extension compromise, where a sneaky update on Christmas Eve let thieves drain about US$7 million in crypto in under 48 hours by grabbing seed phrases on every wallet unlock.
These back-to-back revelations from the D.C.-based startup, run by ex-Israeli intel pros, aren’t just isolated bugs; they’re a wake-up call that bad actors are getting bolder and smarter at slipping malware into tools we trust every day, from chat apps to crypto wallets.
In a world where we’re handing over more personal data than ever, findings like these push for tougher reviews, better update safeguards, and a healthy dose of skepticism toward anything promising “free” privacy.
Read more: Over 1 million WestJet customers become cyberattack victims
Follow Rowan Dunne on LinkedIn
rowan@mugglehead.com
