Well please prove me wrong but having talked to people like Roger Dingledine and Jacob Appelbaum in person and knowing a thing or two about how the Tor Project works, I have zero reason to think that this funding influences the security of Tor in any way, which is what "having its fingers in it" sounds like. The USA not funding the Tor project would, as far as I have been able to discover, not have changed anything about how likely it is that the USA or any other government has access to Tor users' data. If there are intentional bugs (bugdoors) inserted by any contributor, then those would be kept separate from any public funding it receives. Perhaps I'm not cynical, skeptical, or well-read enough though, so again, please point me towards anything that would suggest otherwise.
Then as for VPNs, they're again a very different thing. Funding research or a non-profit is very different from operating a commercial entity under a guise while abusing the trust anyone places in it. The comparison seems to me like comparing funding for general car safety or emission research with suggestions that the government operates one or multiple taxi services in order to learn who goes where. It's not that governments don't setup fronts or operate commercial entities under a guise ever, but rather that I have yet to hear of doing it for the purpose of surveilling random people (you have to get lucky in that anyone of interest signs up for yours, targeted marketing or no) that are not suspected of anything. Aren't fronts usually to enable targeted investigations or do specific actions unnoticed? Like, they might operate a VPN so it doesn't look weird if their secret operators use those IP ranges as well, but the main goal wouldn't be to spy on users (not saying they wouldn't do that on the side, of course, but it's getting more far-fetched).
The author of this book did FOIA requests to various entities but most of them got predictably shot down for national security concerns. This one obscure government agency, Broadcasting Board of Governors, wasn't covered by these exemptions.
So the author read the emails between BBG and the Tor Project maintainers and found that when they received a bug report, rather than fixing it they reported it to their sponsors. The government would then exploit the bug for years before the Tor guys got around to fixing it.
That link reads very much like a conspiracy theory blog, "shocking revelation", "Anyone who questioned this [was] attacked, ridiculed, smeared and hounded into silence", "But the facts wouldn't go away."
The content is worth following up on, though. Those emails are as if written in an alternate reality, where Roger Dingledine is a government agent. They seem hard to believe, but scrolling down there is a PGP signature with the right key ID. I can't verify the sig, the email that I'd have to type over is many pages long and I'd be fighting line endings and it might never match and I'd not know if it's due to a mistake on my part or because the message doesn't match the sig so it wouldn't prove anything anyway. The signing key ID is also a short one (64 bits) so it could also be forged with some effort. I've reached out on IRC some hours ago to see if they deny it, as there is nothing on the Tor Project's blog, but have yet to get a response.
Then as for VPNs, they're again a very different thing. Funding research or a non-profit is very different from operating a commercial entity under a guise while abusing the trust anyone places in it. The comparison seems to me like comparing funding for general car safety or emission research with suggestions that the government operates one or multiple taxi services in order to learn who goes where. It's not that governments don't setup fronts or operate commercial entities under a guise ever, but rather that I have yet to hear of doing it for the purpose of surveilling random people (you have to get lucky in that anyone of interest signs up for yours, targeted marketing or no) that are not suspected of anything. Aren't fronts usually to enable targeted investigations or do specific actions unnoticed? Like, they might operate a VPN so it doesn't look weird if their secret operators use those IP ranges as well, but the main goal wouldn't be to spy on users (not saying they wouldn't do that on the side, of course, but it's getting more far-fetched).