the police make up some alternative explanation of how they got the evidence
So, they did two things: in phase one, they identified the guy running Freedom Hosting. In phase two, they identified the people connecting to it.
We don't really know how they did phase one. Speculation is that they hacked in over the Tor channel, using a software exploit against the Web server. If you have a giant database of exploits and a nice framework for using them, that's not really much harder than traffic analysis, even if you do have the data to do traffic analysis too. And, if you're going to do the hack ANYWAY to cover up your ability to do traffic analysis, you might as well just start with the hack.
Also, if it was the NSA who did it, maybe they did it that way so they wouldn't have to explain traffic analysis to certain investigators in the FBI. Or maybe they just did the hack because it was easier. None of those means the NSA couldn't have done it with traffic analysis if the hack hadn't been available.
Or maybe they really did identify Freedom Hosting using traffic analysis, and then use a hack as a cover story.
Or maybe the NSA wasn't in on this one and the FBI just did its own hacking.
For phase two, if you want to get ALL the users, quickly, the hack is really probably better than the traffic analysis. But again they could be using it as a cover story, or they could have done it for the same sorts of reasons they might have done it in phase one.
Also, the hack was somewhat sophisticated. If not the NSA then who?
Anybody with enough money to hire a sophisticated hacker? We're talking about basic exploitation, not Stuxnet.
In phase one, if Freedom Hosting was taken using, say, an SQL injection vulnerability in some Web forum software or something, that's not very hard. You don't have to be the NSA to do that. Freelancers do that.
And didn't they start phase two after they'd physically grabbed the Freedom Hosting servers? That means their phase one exploit didn't even have to give total control; it just had to be enough to give them an IP address for Freedom Hosting so they could go grab it by force.
Once you have control of Freedom Hosting, then it's not very hard to plant a browser exploit on it to collect the users for phase two. As I recall, it wasn't even some kind of uber-magical zero-day multi-browser exploit; I seem to remember it being relatively mundane.
I'm pretty sure I could personally have done all the necessary hacking, for both phases, and I'm not an exploitation specialist. Surely the FBI can hire one or two people that good.