Urban VPN Proxy AI chat data leak
Data Leak
Summary
Hide ▲
Show ▼
The Urban VPN Proxy browser extension was updated on July 9, 2025 to silently exfiltrate AI chat prompts and responses, exposing conversation data from millions of Chrome and Edge users. The collection covered chats with ChatGPT, Claude, Copilot, DeepSeek, Gemini, Grok, Meta AI, and Perplexity. It routed the captured material to analytics.urban-vpn[.]com and stats.urban-vpn[.]com. The leak also included conversation identifiers, timestamps, session metadata, and model details, widening the privacy impact beyond prompt text alone.
Related Happenings
Widespread exposure and misconfiguration in self-hosted AI infrastructure
Target Trend
First: 05.05.2026 13:30
Last: 05.05.2026 13:30
Sources 1
About this happening:
A large-scale measurement found **self-hosted AI infrastructure** was being deployed with **widespread exposure and no authentication**, creating a broad risk of data theft, workf...
Widespread exposure and misconfiguration in self-hosted AI infrastructure
Target TrendAbout this happening: A large-scale measurement found **self-hosted AI infrastructure** was being deployed with **widespread exposure and no authentication**, creating a broad risk of data theft, workf...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector ActionAbout this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
APT28 FrostArmada DNS hijacking and AitM credential theft campaign
Campaign
First: 07.04.2026 18:51
Last: 07.04.2026 18:51
Sources 1
About this happening:
A multinational disruption effort has taken down **FrostArmada**, an **APT28** campaign that hijacked router DNS settings to steal **Microsoft account credentials** and OAuth toke...
APT28 FrostArmada DNS hijacking and AitM credential theft campaign
CampaignAbout this happening: A multinational disruption effort has taken down **FrostArmada**, an **APT28** campaign that hijacked router DNS settings to steal **Microsoft account credentials** and OAuth toke...
AI as a C2 proxy abuse of Microsoft Copilot and xAI Grok browsing channels
Technical Analysis
First: 17.02.2026 20:08
Last: 17.02.2026 20:08
Sources 1
About this happening:
Researchers disclosed **AI as a C2 proxy**, a technique that can turn **Microsoft Copilot** and **xAI Grok** browsing features into stealthy **command-and-control relays**, increa...
AI as a C2 proxy abuse of Microsoft Copilot and xAI Grok browsing channels
Technical AnalysisAbout this happening: Researchers disclosed **AI as a C2 proxy**, a technique that can turn **Microsoft Copilot** and **xAI Grok** browsing features into stealthy **command-and-control relays**, increa...
CL Suite Chrome extension stealing Meta Business data
Malware Activity
First: 13.02.2026 13:25
Last: 13.02.2026 13:25
Sources 1
About this happening:
The **CL Suite** Chrome extension is exfiltrating **TOTP seeds**, **current 2FA codes**, and **Meta Business** data from **Meta Business Suite** and **Facebook Business Manager**...
CL Suite Chrome extension stealing Meta Business data
Malware ActivityAbout this happening: The **CL Suite** Chrome extension is exfiltrating **TOTP seeds**, **current 2FA codes**, and **Meta Business** data from **Meta Business Suite** and **Facebook Business Manager**...
Timeline
-
15.12.2025 19:46 1 articles · 5mo ago
Urban VPN privacy policy adds AI prompt collection
Legal Policy Action UpdateUrban VPN Proxy's updated privacy policy, as of June 25, 2025, says it collects AI prompts and outputs for Safe Browsing and marketing analytics, and says any secondary use of the gathered AI prompts will be carried out on de-identified and anonymized data even though sensitive personal information may be processed.
Show sources
- Featured Chrome Browser Extension Caught Intercepting Millions of Users' AI Chats — thehackernews.com — 15.12.2025 19:46
-
15.12.2025 19:46 1 articles · 5mo ago
Urban VPN Proxy version 5.5.0 enables AI chat harvesting
Technical Analysis UpdateUrban VPN Proxy version 5.5.0, released on July 9, 2025, enabled AI data harvesting by default using hard-coded settings and used tailored executor JavaScript such as chatgpt.js, claude.js, and gemini.js to intercept prompts and responses on targeted AI chatbots before exfiltrating the conversations to analytics.urban-vpn[.]com and stats.urban-vpn[.]com.
Show sources
- Featured Chrome Browser Extension Caught Intercepting Millions of Users' AI Chats — thehackernews.com — 15.12.2025 19:46
-
15.12.2025 19:46 2 articles · 5mo ago
Koi Security reports Urban VPN Proxy AI chat harvesting
Initial DisclosureKoi Security reported that Urban VPN Proxy, a Featured Chrome extension with six million users, silently gathered prompts from AI chatbots including OpenAI ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Meta AI, and Perplexity, and said identical AI harvesting appeared in three other extensions from the same publisher across Chrome and Microsoft Edge, taking the publisher's total install base to over eight million.
Show sources
- Featured Chrome Browser Extension Caught Intercepting Millions of Users' AI Chats — thehackernews.com — 15.12.2025 19:46
- Urban VPN Proxy Accused of Harvesting AI Chat Conversations — www.infosecurity-magazine.com — 16.12.2025 18:45