For any such agency, a handful of Tor nodes gives your own agents a useful secure channel. An overwhelming majority of nodes would give you good insight into what other users are doing, but it's very hard to get such a majority since of course all your competitors think the same. Putting in place a handful of nodes to benefit your own agents is very possible, so that's what you do.
You can just hack into existing nodes. There are few enough nodes that accessing a large proportion of them is easily within the budget of a state security agency.
Multiple state agencies can fight over control of nodes and, if one of them somehow controls enough nodes they get such information.
If you're right that such agencies can afford to, I dunno, expend zero days to seize control of nodes, they're all going to do that. That doesn't magically create more nodes, just makes it harder to decide who (if anyone) controls them.
The most likely outcome isn't that multiple state agencies can get this done, but that none of them can despite their fervent wishes otherwise.
With repetition and italics - well that's more convincing!
They don't need to control the node; good hacking and spying doesn't reveal your presence unless that is beneficial. Nothing stops multiple attackers from having access unless they want to interfere with each other.
During the Blitz and through the V-weapon attacks, Germany relied heavily on field agents to let it know what it was really hitting in England. If the agents consistently reported that attacks were striking outer North West London for example, German targets would be adjusted South East to compensate. Like when target shooting.
Except, those agents didn't actually work for the Germans. Twenty Committee (because twenty = XX in Roman Numerals, a Double Cross) had identified all the German agents and offered them either indefinite imprisonment for Espionage, or service as agents feeding bogus information to their German masters (and we can infer, the third alternative was death). You can guess what most of them chose.
Twenty Committee in effect ran German Espionage in WWII. If they had destroyed all these agents the Germans would have known and perhaps, in time, the Germans would have replaced them, but instead the Germans believed they had a working on-the-ground network of agents in Britain.
The point of the story is: "Just" having accurate information when actually somebody else controls your source of intelligence isn't actually having accurate information at all, it means you're a fool. Either you have control or you do not.
> I've always assumed that Tor was a top target for 3 letter agencies
Tor doesn't defend against a global adversary like a three-letter agency with capabilities to monitor network traffic and latency globally, panopticon-style. This is explained plainly in the Tor design spec.
"Comments should get more thoughtful and substantive, not less, as a topic gets more divisive." https://news.ycombinator.com/newsguidelines.html (Not sure a rhetorical question to make some vague accusation counts as a substantive comment)
The vague accusation is that because "onion routing"[1] has roots in the military, it must have a backdoor that we haven't uncovered in decades. If the person had posted this Wikipedia link with the info you mentioned, for example, I wouldn't have thought it unsubstantial per the guidelines (even if the claim/accusation itself is unsubstantiated by the evidence, that's a difference of opinion and not a guidelines thing).
[1] Not the cryptography, not even the code implementation, but just the general concept: having a message packed in several layers of encryption such that intermediate routers don't know the contents. https://en.wikipedia.org/wiki/Onion_routing
