I'm aware of the Sourceforge story. They did a stupid move by changing the installers of some unmaintained projects.
As for VeraCrypt they never touched the binaries and they will never do for a simple reasons: All VeraCrypt binaries are PGP signed and more importantly, the Windows binary has an embedded digital signature that is automatically checked by Windows.
Moreover, Sourceforge only modified unsigned installers for unmaintained projects and afterwards they backtracked, so I don't see any issue for the future.
If you want to avoid Sourceforge, you can use Codeplex as it contains exactly the same binaries.
Sourceforge provides a wonderful hosting infrastructure that is not equaled anywhere else in the free open source hosting offering. If you want to want to have the same download quality (they have multiple mirrors across the glob) and statistic services they
provide, you'll have to pay extra cash or your need to be sponsored by some business. I suspect that there are some entities that want to profit from this Sourceforge mistake in order to take them down and thus force many projects to pay extra money for services
that are free with Sourceforge.
In all cases, no matter what download source you are using, always check the signature of the files as described here: