Cryptocurrency investor Michael Terpin can move forward with his case against mobile operator AT&T over his claims the firm was in part responsible for a SIM-swap hack that robbed him of holdings worth $24 million.

In August 2018, Terpin initiated the case against AT&T alleging that an employee, named as Jahmil Smith, had been bribed by a “criminal gang” to assist the fraud, which passed control of the investor’s SIM card to the hackers. Terpin alleged that while he was on the telco’s hotline trying to regain access to his phone, his cryptocurrencies were stolen by the gang.

In the latest document from the case, filed on Monday, Judge Otis Wright II at the U.S. District Court in the Central District of California denied much of AT&T’s most recent motion to dismiss the case.

The court had found in July that while Terpin had sufficiently alleged that the hack was “reasonably foreseeable,” he had not shown proximate cause because he did “not connect how granting the hackers/fraudsters access to [his] phone number resulted in him losing $24 million.”

With the investor allowed leave to amend the complaint, Wright found that Terpin has now sufficiently alleged proximate cause between AT&T’s conduct and the theft.

AT&T had also contended that Terpin did not provide facts to support his claim that two-factor authentication (2FA) was involved in the crime because his cryptocurrency wallets may or may not have used 2FA – an extra level of security that sends a code to a related cellphone number to allow account access.

However, in denying the firm’s motion to dismiss, the judge said, “Mr. Terpin alleges sufficient facts for the Court to reasonable infer the hackers may have used 2FA methods to glean Mr. Terpin’s personal information from various accounts, such as email or cloud storage.”

AT&T had also attempted to have Terpin’s tort claims for financial losses thrown out by contending that they are barred by economic loss doctrine, which sets out that parties entering a contract should be able to anticipate any potential losses resulting from a breach of the agreement.

However, if there is a “special relationship” between the parties, tort claims can be made if one party breaches the contract.

Judge Wright found that since Terpin was required to share personal information with AT&T “with the understanding that AT&T would adequately protect it,” he had sufficiently made a case for there being a special relationship.

On points where Judge Wright did not rule against AT&T in the motion, Terpin has been given 21 days to file an amended complaint to address any deficiencies.

Terpin is suing AT&T for $23.8 million in compensation, as well as $200 million in punitive damages.

In a press release on Tuesday, Terpin announced that he will file a second amended complaint before the court’s deadline to support his request for punitive damages. He plans to demonstrate “how AT&T was both knowledgeable of, and responsible for, an ongoing sequence of cryptocurrency thefts due to SIM swaps dating back to well before Terpin’s hack,” the release states.

See the full court document below: