This study addresses the lack of large-scale empirical analysis on user disclosure behavior in cybercrime forums, particularly the dynamic evolution between initial posts and private messages. We propose a benign–gray–criminal tripartite classification framework and employ a large language model (LLM)-driven scalable annotation pipeline to analyze over 3.5 million posts from 300,000 users on a major forum. Using Markov chain modeling to capture transitions across content tiers, we present the first large-scale quantitative characterization of criminal disclosure in such forums. Our findings reveal a prevalent incremental strategy: while 25% of initial posts contain explicit criminal content and more than one-third of users disclose criminal activity at least once, over two-thirds primarily engage in benign or gray-zone content, underscoring the critical role of the gray area as an entry point and behavioral buffer.

Cybercrime forums play a central role in the cybercrime ecosystem, serving as hubs for the exchange of illicit goods, services, and knowledge. Previous studies have explored the market and social structures of these forums, but less is known about the behavioral dynamics of users, particularly regarding participants' disclosure of criminal activity. This study provides the first large-scale assessment of crime disclosure patterns in a major cybercrime forum, analysing over 3.5 million posts from nearly 300k users. Using a three-level classification scheme (benign, grey, and crime) and a scalable labelling pipeline powered by large language models (LLMs), we measure the level of crime disclosure present in initial posts, analyse how participants switch between levels, and assess how crime disclosure behavior relates to private communications. Our results show that crime disclosure is relatively normative: one quarter of initial posts include explicit crime-related content, and more than one third of users disclose criminal activity at least once in their initial posts. At the same time, most participants show restraint, with over two-thirds posting only benign or grey content and typically escalating disclosure gradually. Grey initial posts are particularly prominent, indicating that many users avoid overt statements and instead anchor their activity in ambiguous content. The study highlights the value of LLM-based text classification and Markov chain modelling for capturing crime disclosure patterns, offering insights for law enforcement efforts aimed at distinguishing benign, grey, and criminal content in cybercrime forums.