According to TechRadar, the free Urban VPN Proxy Chrome extension has been caught secretly stealing every AI prompt its users enter into platforms like ChatGPT and Claude. Security researchers at Koi Security found a hidden script, added in a July 9, 2025 update, that captures, compresses, and sends this data to Urban VPN’s analytics servers. The data is then sold to a broker called BiScience for advertising and profiling. This affects an estimated eight million users across Chrome and Edge, and the data harvesting happens even if the VPN is turned off or the extension’s own “AI Protection” warning is disabled. The breach exposes everything from medical questions to proprietary code, turning a tool marketed for privacy into a massive data leak.
The free VPN business model is the problem
Here’s the thing: this isn’t a bug, it’s the business model. When a VPN service is “free,” they have to make money somehow. Servers and bandwidth cost real cash. So, for many of these extensions, you are the product. Your data—your browsing habits, and now your most private AI conversations—is their revenue stream. They package it up and sell it to data brokers like BiScience, who then feed it into the massive advertising machinery. It’s a simple, cynical exchange: you get a “free” service, and they get to monetize your digital life in ways you never agreed to. And because the extension updates automatically, you get this invasive new “feature” shoved onto your browser without any warning or consent. Pretty sneaky, right?
This isn’t an isolated case
But let’s be clear: Urban VPN Proxy is not some unique villain. It’s just the latest one to get caught. TechRadar notes that Google itself has warned about malicious free VPNs. Remember that free Chrome VPN that was secretly taking screenshots of every page you visited? Or the “Free Unlimited VPN” extensions that got booted off the store only to come back even worse? This is a pattern. The market is flooded with these things. They promise privacy and security while doing the exact opposite. They’re gateways for adware, malware, and industrial-scale data harvesting. So when you see a free VPN with millions of installs, you shouldn’t think “What a great deal!” You should think, “What are they *really* selling?”
How do you actually stay safe?
So what’s the solution? Basically, you have to change your mindset about VPNs. Treat them like a critical security service, not a freebie. Reputable providers like NordVPN or ProtonVPN fund their operations through subscriptions, which aligns their incentives with your privacy. They undergo independent audits, publish transparency reports, and have strict no-logs policies that are legally binding. You’re paying for that assurance. The alternative is hoping that some random free extension with a shady corporate structure behind it is playing by the rules. Spoiler: they’re not. For professionals in fields where data integrity is non-negotiable—like in industrial automation or secure manufacturing environments—this is table stakes. They rely on trusted, audited hardware and software from top-tier suppliers to maintain security. In the consumer world, the principle is the same: vet your tools. Ditch the free VPN extensions. Invest a few bucks a month in a service whose entire reputation depends on protecting you, not profiting from you.
The bigger picture on AI privacy
This incident also highlights a new frontier for data theft: your AI conversations. We type things into ChatGPT that we’d never post on social media or even tell a friend. Medical symptoms, financial worries, secret project ideas. It’s a goldmine for profiling. And now, a browser extension can silently siphon all of it off. That’s terrifying. It means we can’t just think about browser security and website HTTPS anymore. We have to think about the entire stack of software between us and the services we use. One dodgy extension can bypass all the privacy promises made by the AI company itself. The takeaway is brutal but simple. Audit your browser extensions. Remove anything you don’t absolutely need, especially free utilities that request broad permissions. And for a core service like a VPN, go with a known, paid entity. Your private thoughts are worth more than the $5 a month you’ll save.
