biscience

Also known asbiscience

BiScience is the company affiliated with Urban VPN and is described in the provided content as receiving data collected by browser extensions including Urban VPN Proxy, 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker. According to the cited research, these extensions harvested chatbot conversation data from users of major AI platforms including ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok, and Meta AI, affecting over 8 million users. The extensions reportedly used dedicated scripts to intercept conversations, including overriding browser fetch() and XMLHttpRequest APIs to capture network requests and responses, and transmitted the captured data to analytics.urban-vpn.com and stats.urban-vpn.com, which are controlled by BiScience. The collection was enabled by default, could not be disabled except by uninstalling the extensions, and occurred even when the VPN was not active. The content also states that prior investigative work by Wladimir Palant and John Tuckner documented BiScience's collection of clickstream and browsing history data, and that newer findings indicate BiScience expanded into collecting AI conversation data. No additional aliases or sub-groups are provided in the content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

6 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics6 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

2 techniques

T1589

Gather Victim Identity Information

T1598

Phishing for Information

TA0005

Stealth

1 technique

T1036

Masquerading

TA0009

Collection

1 technique

T1213

Data from Information Repositories

TA0011

Command and Control

1 technique

T1071

Application Layer Protocol

TA0010

Exfiltration

1 technique

T1567

Exfiltration Over Web Service

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

Dec 16, 2025

Browser 'privacy' extensions have eye on your AI, log all your chats

BiScience is operating browser extensions (including Urban VPN Proxy, 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker) that harvest the text of chatbot conversations and browsing data from millions of users and transmit it to their servers, selling the data for marketing purposes.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping6

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.