Mail hacked?

I have a account at DH with some sites hosted. One of them appear to have been hacked this week.
The owner (a friend) received several emails in russian and one of his local server was hacked with a message saying they want bitcoins to give back the data on it.

This website use gsuite as email server, which means smpt is provided by google, not dreamhost. But the russian emails are using “” as smtp.

What I want to know is, how can they use the mail server of dreamhost for that?
Can anyone help me?

I can put whole header of the email here but I am not sure it is allowed

it could be a different customers email credentials.

or more probably… sounds like the name of a shared hosting server. If a hacker has control of an account on the shared server they can generate emails originating from that server.

Edit to add:

you should really open a ticket so the abuse team can take a look…

Please file a ticket as soon as possible with this sort of issues: there is really not much that can be done from the forums to investigate and solve issues of hacked sites.